142 lines
4.7 KiB
Nix
142 lines
4.7 KiB
Nix
{ config, pkgs, lib, ... }:
|
||
|
||
let
|
||
mainCfg = config.nasp;
|
||
hostName = ("g" + (builtins.toString mainCfg.serial));
|
||
ipSuffix = (builtins.toString (mainCfg.serial + 100))
|
||
in
|
||
{
|
||
options.nasp = {
|
||
serial = lib.mkOption {
|
||
type = lib.types.int;
|
||
description = "Serial of the machine (gX)";
|
||
};
|
||
};
|
||
|
||
# inplementation
|
||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||
nix.settings.substituters = [ "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" ];
|
||
## system config
|
||
boot.loader.systemd-boot.enable = true;
|
||
boot.loader.efi.canTouchEfiVariables = true;
|
||
time.hardwareClockInLocalTime = true;
|
||
networking.hostName = assert (mainCfg.serial > 0); hostName;
|
||
networking.search = [ "nasp" ];
|
||
i18n.defaultLocale = "C.UTF-8";
|
||
i18n.extraLocaleSettings = lib.mkDefault {
|
||
LC_ADDRESS = "zh_CN.UTF-8";
|
||
LC_IDENTIFICATION = "zh_CN.UTF-8";
|
||
LC_MEASUREMENT = "zh_CN.UTF-8";
|
||
LC_MONETARY = "zh_CN.UTF-8";
|
||
LC_NAME = "zh_CN.UTF-8";
|
||
LC_NUMERIC = "zh_CN.UTF-8";
|
||
LC_PAPER = "zh_CN.UTF-8";
|
||
LC_TELEPHONE = "zh_CN.UTF-8";
|
||
LC_TIME = "zh_CN.UTF-8";
|
||
};
|
||
time.timeZone = lib.mkDefault "Asia/Shanghai";
|
||
## networking
|
||
networking.networkmanager.enable = true;
|
||
networking.interfaces = {
|
||
eno1.wakeOnLan.enable = true;
|
||
eno1.ipv4 = {
|
||
addresses = [
|
||
{
|
||
address = "192.168.16.${ipSuffix}";
|
||
prefixLength = 24;
|
||
}
|
||
];
|
||
routes = [
|
||
{
|
||
address = "0.0.0.0";
|
||
prefixLength = 0;
|
||
via = "192.168.16.118";
|
||
metric = 10;
|
||
}
|
||
];
|
||
};
|
||
enp2s0np0.ipv4.addresses = [
|
||
{
|
||
address = "12.12.12.${ipSuffix}";
|
||
prefixLength = 24;
|
||
}
|
||
];
|
||
};
|
||
networking.firewall = {
|
||
allowedTCPPorts = [ 12022 ];
|
||
extraCommands = ''
|
||
iptables -A INPUT -s 192.168.16.0/24 -j ACCEPT
|
||
iptables -A INPUT -s 12.12.12.0/24 -j ACCEPT
|
||
'';
|
||
};
|
||
## packages and services
|
||
nixpkgs.config.allowUnfree = true;
|
||
environment.systemPackages = with pkgs; [
|
||
bash cmake curl file fzf gcc git gnumake htop inetutils iproute2 iputils less man nettools
|
||
openssh openssl python3 sops sudo tmux util-linux vim wget zsh
|
||
# extended
|
||
acpi atop btop dialog dig dmidecode dos2unix ethtool fish iftop iotop killall lshw lsof
|
||
mtr netcat-gnu nethogs nmap pciutils plocate pstree pwgen ripgrep smartmontools socat
|
||
sysstat tcpdump unzip usbutils virt-what zip
|
||
# full
|
||
wireshark zmap
|
||
];
|
||
programs.zsh.enable = true;
|
||
services.cron.enable = true;
|
||
## user config
|
||
users.users.root.shell = pkgs.zsh;
|
||
## dotfiles.cn
|
||
system.activationScripts.dotfilesSetup.text = ''
|
||
if [ -d ~ -a ! -e ~/dotfiles/update.sh ]; then
|
||
source ${config.system.build.setEnvironment}
|
||
rm -rf ~/dotfiles
|
||
bash <(curl -fsSL dotfiles.cn)
|
||
fi
|
||
'';
|
||
## server
|
||
services.openssh.enable = true;
|
||
services.openssh.settings.PermitRootLogin = "prohibit-password";
|
||
services.openssh.authorizedKeysFiles = [ ".ssh/authorized_keys2" ];
|
||
services.openssh.ports = [ 12022 ];
|
||
systemd.targets.sleep.enable = false;
|
||
systemd.targets.suspend.enable = false;
|
||
systemd.targets.hibernate.enable = false;
|
||
systemd.targets.hybrid-sleep.enable = false;
|
||
## docker
|
||
virtualisation.docker = {
|
||
enable = true;
|
||
daemon.settings = {
|
||
ipv6 = true;
|
||
fixed-cidr-v6 = "fddd:d0c1:1::/64";
|
||
experimental = true;
|
||
ip6tables = true;
|
||
live-restore = false;
|
||
};
|
||
};
|
||
## users
|
||
users.mutableUsers = true;
|
||
users.users.root.openssh.authorizedKeys.keys = [
|
||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUN7IXF4nlFcVfgHesgik3LIAiXlVMYJPm3yD13EVarQx5jqdBgk8Dwgkgf4rPO6MFpvIpinOyEO8zOS6HHQrCLZUv5yTFaDkUuB7eQ0EmpicGbmk9bHqj1HkOZxaobkpEfQUmFKYvkp4EexVw66sO0qfXvjHZ4H6yCAJLK5aUnKfgrE8tODzP82sU/mpJjW+Pq3uanNq754gaHwhxCIXG143/zp8qzBAeKe38xVqqDq9fTkG4hvzFvkRdS88i6l1z++0P3n0HGdOjtSg7P7fO7+7ZyPYr0gO5vB720Om/zxqPrGd9cicWi4P+aVKa+0ujWH/pqufWG6uCjKWHnBs7 sk0/piv/9a"
|
||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHLYgVj+NPino6sOmahULN7SbAMaVAgzqPfDjz2S8zDv pc1/windows"
|
||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhS4voo3K/Dvzqckr0bouO1WkCI5XxswstHWnuuyKBz ltp1-bd"
|
||
];
|
||
users.users.nasp = {
|
||
isNormalUser = true;
|
||
createHome = true;
|
||
group = "nasp";
|
||
extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
|
||
packages = with pkgs; [
|
||
firefox
|
||
];
|
||
hashedPassword = "$y$j9T$Ei67I7VhQD6gF20/lNBUx0$jnrLqLNSJVCS959deKCamoOi4Q76nNeQ7/kDQCCABl1";
|
||
};
|
||
security.sudo.extraConfig = ''
|
||
%nasp ALL = (root) NOPASSWD: /usr/bin/docker
|
||
%nasp ALL = (root) NOPASSWD: /usr/sbin/reboot
|
||
%nasp ALL = (root) NOPASSWD: /usr/bin/whoami
|
||
%nasp ALL = (root) NOPASSWD: /usr/bin/nvidia-smi
|
||
%nasp ALL = (root) NOPASSWD: /usr/sbin/shutdown
|
||
%nasp ALL = (root) NOPASSWD: /usr/sbin/ufw
|
||
%nasp ALL = (root) NOPASSWD: /usr/sbin/ip
|
||
'';
|
||
} |