NASP/NixOS-Config
34
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
8d34332a72
NixOS-Config/hosts/modules/nasp.nix
Dict Xiong 8d34332a72 feat(g2): init (exp)
2024-05-27 20:26:17 +08:00

142 lines
4.7 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{ config, pkgs, lib, ... }:
let
mainCfg = config.nasp;
hostName = ("g" + (builtins.toString mainCfg.serial));
ipSuffix = (builtins.toString (mainCfg.serial + 100))
in
{
options.nasp = {
serial = lib.mkOption {
type = lib.types.int;
description = "Serial of the machine (gX)";
};
};
# inplementation
nix.settings.experimental-features = [ "nix-command" "flakes" ];
nix.settings.substituters = [ "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" ];
## system config
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
time.hardwareClockInLocalTime = true;
networking.hostName = assert (mainCfg.serial > 0); hostName;
networking.search = [ "nasp" ];
i18n.defaultLocale = "C.UTF-8";
i18n.extraLocaleSettings = lib.mkDefault {
LC_ADDRESS = "zh_CN.UTF-8";
LC_IDENTIFICATION = "zh_CN.UTF-8";
LC_MEASUREMENT = "zh_CN.UTF-8";
LC_MONETARY = "zh_CN.UTF-8";
LC_NAME = "zh_CN.UTF-8";
LC_NUMERIC = "zh_CN.UTF-8";
LC_PAPER = "zh_CN.UTF-8";
LC_TELEPHONE = "zh_CN.UTF-8";
LC_TIME = "zh_CN.UTF-8";
};
time.timeZone = lib.mkDefault "Asia/Shanghai";
## networking
networking.networkmanager.enable = true;
networking.interfaces = {
eno1.wakeOnLan.enable = true;
eno1.ipv4 = {
addresses = [
{
address = "192.168.16.${ipSuffix}";
prefixLength = 24;
}
];
routes = [
{
address = "0.0.0.0";
prefixLength = 0;
via = "192.168.16.118";
metric = 10;
}
];
};
enp2s0np0.ipv4.addresses = [
{
address = "12.12.12.${ipSuffix}";
prefixLength = 24;
}
];
};
networking.firewall = {
allowedTCPPorts = [ 12022 ];
extraCommands = ''
iptables -A INPUT -s 192.168.16.0/24 -j ACCEPT
iptables -A INPUT -s 12.12.12.0/24 -j ACCEPT
'';
};
## packages and services
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
bash cmake curl file fzf gcc git gnumake htop inetutils iproute2 iputils less man nettools
openssh openssl python3 sops sudo tmux util-linux vim wget zsh
# extended
acpi atop btop dialog dig dmidecode dos2unix ethtool fish iftop iotop killall lshw lsof
mtr netcat-gnu nethogs nmap pciutils plocate pstree pwgen ripgrep smartmontools socat
sysstat tcpdump unzip usbutils virt-what zip
# full
wireshark zmap
];
programs.zsh.enable = true;
services.cron.enable = true;
## user config
users.users.root.shell = pkgs.zsh;
## dotfiles.cn
system.activationScripts.dotfilesSetup.text = ''
if [ -d ~ -a ! -e ~/dotfiles/update.sh ]; then
source ${config.system.build.setEnvironment}
rm -rf ~/dotfiles
bash <(curl -fsSL dotfiles.cn)
fi
'';
## server
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "prohibit-password";
services.openssh.authorizedKeysFiles = [ ".ssh/authorized_keys2" ];
services.openssh.ports = [ 12022 ];
systemd.targets.sleep.enable = false;
systemd.targets.suspend.enable = false;
systemd.targets.hibernate.enable = false;
systemd.targets.hybrid-sleep.enable = false;
## docker
virtualisation.docker = {
enable = true;
daemon.settings = {
ipv6 = true;
fixed-cidr-v6 = "fddd:d0c1:1::/64";
experimental = true;
ip6tables = true;
live-restore = false;
};
};
## users
users.mutableUsers = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUN7IXF4nlFcVfgHesgik3LIAiXlVMYJPm3yD13EVarQx5jqdBgk8Dwgkgf4rPO6MFpvIpinOyEO8zOS6HHQrCLZUv5yTFaDkUuB7eQ0EmpicGbmk9bHqj1HkOZxaobkpEfQUmFKYvkp4EexVw66sO0qfXvjHZ4H6yCAJLK5aUnKfgrE8tODzP82sU/mpJjW+Pq3uanNq754gaHwhxCIXG143/zp8qzBAeKe38xVqqDq9fTkG4hvzFvkRdS88i6l1z++0P3n0HGdOjtSg7P7fO7+7ZyPYr0gO5vB720Om/zxqPrGd9cicWi4P+aVKa+0ujWH/pqufWG6uCjKWHnBs7 sk0/piv/9a"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHLYgVj+NPino6sOmahULN7SbAMaVAgzqPfDjz2S8zDv pc1/windows"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhS4voo3K/Dvzqckr0bouO1WkCI5XxswstHWnuuyKBz ltp1-bd"
];
users.users.nasp = {
isNormalUser = true;
createHome = true;
group = "nasp";
extraGroups = [ "wheel" ]; # Enable sudo for the user.
packages = with pkgs; [
firefox
];
hashedPassword = "$y$j9T$Ei67I7VhQD6gF20/lNBUx0$jnrLqLNSJVCS959deKCamoOi4Q76nNeQ7/kDQCCABl1";
};
security.sudo.extraConfig = ''
%nasp ALL = (root) NOPASSWD: /usr/bin/docker
%nasp ALL = (root) NOPASSWD: /usr/sbin/reboot
%nasp ALL = (root) NOPASSWD: /usr/bin/whoami
%nasp ALL = (root) NOPASSWD: /usr/bin/nvidia-smi
%nasp ALL = (root) NOPASSWD: /usr/sbin/shutdown
%nasp ALL = (root) NOPASSWD: /usr/sbin/ufw
%nasp ALL = (root) NOPASSWD: /usr/sbin/ip
'';
}
Reference in New Issue View Git Blame Copy Permalink