commit a7903ded49b11fb04baddfd873fbe085cf27f95f Author: Sense T Date: Mon Sep 25 00:15:15 2023 +0000 init diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..dde5244 --- /dev/null +++ b/Makefile @@ -0,0 +1,25 @@ +############################################################################ +# +# Nix commands related to the local machine +# +############################################################################ + +deploy: + nixos-rebuild switch --flake '.#default' --use-remote-sudo + +debug: + nixos-rebuild switch --flake '.#default' --use-remote-sudo --show-trace --verbose + +update: + nix flake update + +history: + nix profile history --profile /nix/var/nix/profiles/system + +gc: + # remove all generations older than 7 days + sudo nix profile wipe-history --profile /nix/var/nix/profiles/system --older-than 3d + + # garbage collect all unused nix store entries + sudo nix store gc --debug + nix-collect-garbage -d diff --git a/README.md b/README.md new file mode 100644 index 0000000..7265be8 --- /dev/null +++ b/README.md @@ -0,0 +1,9 @@ +# NUC-Configurations + +NUC 配置 + +## 构建 + +```bash +nixos-rebuild switch --flake 'git+https://git.sense-t.eu.org/NixOS/nuc-configurations#default' +``` diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..2880151 --- /dev/null +++ b/configuration.nix @@ -0,0 +1,16 @@ +# NixOS configurations file. +{ config, pkgs, lib, ... }: { + system.stateVersion = "23.05"; + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + + # User custom configurations. + ./global + ]; + + system.autoUpgrade = { + enable = true; + flake = "git+https://git.sense-t.eu.org/NixOS/gpd-configurations#gpd"; + }; +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..b887ccc --- /dev/null +++ b/flake.lock @@ -0,0 +1,58 @@ +{ + "nodes": { + "impermanence": { + "locked": { + "lastModified": 1694622745, + "narHash": "sha256-z397+eDhKx9c2qNafL1xv75lC0Q4nOaFlhaU1TINqb8=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "e9643d08d0d193a2e074a19d4d90c67a874d932e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "impermanence", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1694937365, + "narHash": "sha256-iHZSGrb9gVpZRR4B2ishUN/1LRKWtSHZNO37C8z1SmA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "5d017a8822e0907fb96f7700a319f9fe2434de02", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-23.05", + "type": "indirect" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1695145219, + "narHash": "sha256-Eoe9IHbvmo5wEDeJXKFOpKUwxYJIOxKUesounVccNYk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "5ba549eafcf3e33405e5f66decd1a72356632b96", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, + "root": { + "inputs": { + "impermanence": "impermanence", + "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..2592bb6 --- /dev/null +++ b/flake.nix @@ -0,0 +1,52 @@ +{ + description = "NixOS configuration for NUC"; + + nixConfig = rec { + auto-optimise-store = true; + experimental-features = [ "nix-command" "flakes" ]; + trusted-substituters = [ + "https://mirrors.ustc.edu.cn/nix-channels/store" # 中科大 + "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" # 清华 + "https://mirrors.bfsu.edu.cn/nix-channels/store" # 北外 + "https://mirror.sjtu.edu.cn/nix-channels/store" # 交大 + "https://nixos-cn.cachix.org" + "https://cache.nixos.org/" + ]; + substituters = trusted-substituters; + + trusted-users = [ + "login" + "root" + "@wheel" + ]; + }; + + inputs = { + nixpkgs.url = "nixpkgs/nixos-23.05"; + nixpkgs-unstable.url = "nixpkgs/nixos-unstable"; + impermanence.url = "github:nix-community/impermanence"; + }; + + outputs = { self, nixpkgs, impermanence, nixpkgs-unstable, ... }: { + nixosConfigurations.default = nixpkgs.lib.nixosSystem rec { + system = "x86_64-linux"; + + specialArgs = { + pkgs = import nixpkgs { + system = system; + config.allowUnfree = true; + }; + + pkgs-unstable = import nixpkgs-unstable { + system = system; + config.allowUnfree = true; + }; + }; + + modules = [ + ./configuration.nix + impermanence.nixosModules.impermanence + ]; + }; + }; +} diff --git a/global/default.nix b/global/default.nix new file mode 100644 index 0000000..d8bee6f --- /dev/null +++ b/global/default.nix @@ -0,0 +1,8 @@ +{ + imports = [ + ./system-configuration.nix + ./software-configuration.nix + ./user-configuration.nix + ./stateless-configuration.nix + ]; +} diff --git a/global/software-configuration.nix b/global/software-configuration.nix new file mode 100644 index 0000000..ee94218 --- /dev/null +++ b/global/software-configuration.nix @@ -0,0 +1,94 @@ +{ pkgs, pkgs-unstable, lib, ... }: +let + databases = [ + "k3s" + "gitea" + "vaultwarden" + "saysthbot" + ]; +in +{ + # Enable automatic login for the user. + services = { + logrotate.checkConfig = false; + sshd.enable = true; + + ntp = { + enable = true; + servers = [ + "ntp.ntsc.ac.cn" # China + ]; + }; + + k3s = { + enable = true; + package = pkgs-unstable.k3s; + configPath = "/etc/rancher/k3s/config.yaml"; + }; + + postgresql = { + enable = true; + package = pkgs.postgresql_14; + authentication = '' + host all all 10.42.0.0/16 md5 + host all all fd01::/56 md5 + ''; + enableTCPIP = true; + ensureDatabases = databases; + ensureUsers = [ + { + name = "k3s"; + ensurePermissions = { + "DATABASE k3s" = "ALL PRIVILEGES"; + }; + ensureClauses = { + login = true; + }; + } + { + name = "gitea"; + ensurePermissions = { + "DATABASE gitea" = "ALL PRIVILEGES"; + }; + ensureClauses = { + login = true; + }; + } + { + name = "vaultwarden"; + ensurePermissions = { + "DATABASE vaultwarden" = "ALL PRIVILEGES"; + }; + ensureClauses = { + login = true; + }; + } + { + name = "saysthbot"; + ensurePermissions = { + "DATABASE saysthbot" = "ALL PRIVILEGES"; + }; + ensureClauses = { + login = true; + }; + } + ]; + }; + + postgresqlBackup = { + enable = true; + databases = databases; + compressionLevel = 9; + location = "/backup/postgresql"; + startAt = "*-*-* 01:15:00"; + }; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + nerdctl + vim + gnumake42 + ]; +} diff --git a/global/stateless-configuration.nix b/global/stateless-configuration.nix new file mode 100644 index 0000000..4af6ad6 --- /dev/null +++ b/global/stateless-configuration.nix @@ -0,0 +1,42 @@ +{ + # /nix/persistent 是你实际保存文件的地方 + environment.persistence."/nix/persistent" = { + # 不让这些映射的 mount 出现在文件管理器的侧边栏中 + hideMounts = true; + + # 你要映射的文件夹 + directories = [ + "/etc/rancher" + "/root" + "/var" + ]; + + files = [ + "/etc/machine-id" + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_rsa_key.pub" + "/etc/ssh/ssh_host_rsa_key" + ]; + }; + + environment.variables.NIX_REMOTE = "daemon"; + + systemd.services.nix-daemon = { + environment = { + # 指定临时文件的位置 + TMPDIR = "/var/cache/nix"; + }; + serviceConfig = { + # 在 Nix Daemon 启动时自动创建 /var/cache/nix + CacheDirectory = "nix"; + }; + }; + + # Stateless rootfs + fileSystems."/" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = [ "relatime" "mode=755" "nosuid" "nodev" ]; + }; +} diff --git a/global/system-configuration.nix b/global/system-configuration.nix new file mode 100644 index 0000000..f363898 --- /dev/null +++ b/global/system-configuration.nix @@ -0,0 +1,63 @@ +{ pkgs, lib, ... }: { + time.timeZone = "Asia/Shanghai"; + security.sudo.wheelNeedsPassword = true; + + /* + hardware = { + opengl = { + enable = true; + extraPackages = with pkgs; [ + mesa.drivers + libvdpau-va-gl + vaapiVdpau + ]; + }; + }; + */ + + # Select internationalisation properties. + i18n = { + defaultLocale = "zh_CN.UTF-8"; + extraLocaleSettings = { + LC_ADDRESS = "zh_CN.UTF-8"; + LC_IDENTIFICATION = "zh_CN.UTF-8"; + LC_MEASUREMENT = "zh_CN.UTF-8"; + LC_MONETARY = "zh_CN.UTF-8"; + LC_NAME = "zh_CN.UTF-8"; + LC_NUMERIC = "zh_CN.UTF-8"; + LC_PAPER = "zh_CN.UTF-8"; + LC_TELEPHONE = "zh_CN.UTF-8"; + LC_TIME = "zh_CN.UTF-8"; + }; + }; + + nix = { + settings = { + auto-optimise-store = true; + experimental-features = [ + "nix-command" + "flakes" + ]; + + substituters = [ + "https://mirrors.ustc.edu.cn/nix-channels/store" # 中科大 + "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" # 清华 + "https://mirrors.bfsu.edu.cn/nix-channels/store" # 北外 + "https://mirror.sjtu.edu.cn/nix-channels/store" # 交大 + "https://nixos-cn.cachix.org" + "https://cache.nixos.org/" + ]; + + trusted-users = [ + "root" + "@wheel" + ]; + }; + + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 1w"; + }; + }; +} diff --git a/global/user-configuration.nix b/global/user-configuration.nix new file mode 100644 index 0000000..f5870dc --- /dev/null +++ b/global/user-configuration.nix @@ -0,0 +1,25 @@ +{ pkgs, ... }: { + users = { + mutableUsers = false; + users = { + login = { + isNormalUser = true; + description = "Login user"; + hashedPassword = "$y$j9T$XMNDyrhWt/0Hml8Lp9e/91$PuqtfFbvUUjJgiEE9KNBRziWppEWbAD54j7ydmD0BY8"; + + packages = with pkgs; [ + + ]; + + extraGroups = [ + "wheel" + ]; + + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4D8YhuKaVoVu5f51SwO8FHmIMxytQ1VXzLr4qe1GnQ tonychyi@TonyChyideMacBook-Pro.local" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFpWqnXVD/wC1IyWMNUtvPCnj7NtTfT1GaeKiDYILHIa coder@code-server-7dd77f88fb-5vlbj" + ]; + }; + }; + }; +} diff --git a/hardware-configuration.nix b/hardware-configuration.nix new file mode 100644 index 0000000..9c9adcd --- /dev/null +++ b/hardware-configuration.nix @@ -0,0 +1,105 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + + boot = { + kernelModules = [ "kvm-amd" "k10temp" ]; + + kernel.sysctl = { + "net.ipv6.conf.all.disable_ipv6" = 0; + "net.core.default_qdisc"="fq"; + "net.ipv4.tcp_congestion_control"="bbr"; + "net.ipv6.conf.all.forwarding"=0; + "net.ipv4.conf.all.forwarding"=1; + "fs.inotify.max_user_watches"=524288; + "kernel.panic"=10; + "kernel.nmi_watchdog"=1; + }; + + initrd = { + verbose = false; + availableKernelModules = [ + "xhci_pci" + "ahci" + "nvme" + "usb_storage" + "usbhid" + "sd_mod" + ]; + }; + + loader = { + efi.canTouchEfiVariables = true; + systemd-boot = { + enable = true; + configurationLimit = 10; + }; + }; + }; + + fileSystems."/boot" = { + #device = "/dev/disk/by-uuid/8665-8D88"; + device = "/dev/nvme0n1p1"; + fsType = "vfat"; + #options = [ "discard" ]; + }; + + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/576b6514-6cc0-e049-ba86-6f0158da9687"; + fsType = "ext4"; + options = [ "discard" ]; + }; + + fileSystems."/data" = { + device = "/dev/disk/by-uuid/400f8c26-4989-4600-81a4-0974be94a0e9"; + fsType = "ext4"; + }; + + fileSystems."/backup" = { + device = "192.168.1.25:/volume1/docker_volumes/backup"; + fsType = "nfs"; + options = [ "x-systemd.automount" "noauto" ]; + }; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + # networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eth0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; + + networking.hostName = "homeserver"; + networking.firewall.enable = false; + networking.nameservers = [ + "223.5.5.5" + "223.6.6.6" + "2400:3200::1" + "2400:3200:baba::1" + ]; + networking.interfaces.eth0 = { + ipv4.addresses = [{ + address = "192.168.1.42"; + prefixLength = 24; + }]; + }; + networking.defaultGateway = { + interface = "eth0"; + address = "192.168.1.1"; + }; + networking.defaultGateway6 = { + interface = "eth0"; + address = "fe80::1af2:2cff:fed3:d5a2"; + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + #powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +}