From c20fd46f9f6c3c4e4639ff79f1b4be2d5cfb984a Mon Sep 17 00:00:00 2001 From: "matthew.binning" Date: Tue, 10 Feb 2026 06:10:33 -0800 Subject: [PATCH] feat: Get ROCm working with flake --- .gitignore | 3 +++ configuration.nix | 7 ++++--- crossbox.nix | 30 ++++++++++++++++++++++++++++-- flake.nix | 23 +++++++++++++++++++++++ nginx.nix | 27 ++++++++++----------------- ollama.nix | 8 +++++--- 6 files changed, 73 insertions(+), 25 deletions(-) create mode 100644 flake.nix diff --git a/.gitignore b/.gitignore index 3cb44c3..15d854b 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,6 @@ result-* # Ignore automatically generated direnv output .direnv +hardware-configuration.nix +comfy-ui.nix +*.bak diff --git a/configuration.nix b/configuration.nix index e2d4062..12c0dab 100644 --- a/configuration.nix +++ b/configuration.nix @@ -2,7 +2,8 @@ let hostConfigs = { - crossbox = [ ./crossbox.nix ./sdr.nix ./syncthing.nix ./forgejo.nix ./radicale.nix ./ollama.nix ./docuseal.nix ./nginx.nix ]; + crossbox = [ ./crossbox.nix ./sdr.nix ./syncthing.nix ./forgejo.nix ./radicale.nix ./ollama.nix #./docuseal.nix + ./nginx.nix ]; anvil = [ ./anvil.nix ./sdr.nix ./vpn.nix ./syncthing.nix ./staging.nginx.nix ]; }; in @@ -10,7 +11,7 @@ in imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix - ] ++ hostConfigs.anvil; + ] ++ hostConfigs.crossbox; nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.gc = { @@ -208,4 +209,4 @@ in systemd.targets.suspend.enable = false; systemd.targets.hibernate.enable = false; systemd.targets.hybrid-sleep.enable = false; -} \ No newline at end of file +} diff --git a/crossbox.nix b/crossbox.nix index 952e216..02d8592 100644 --- a/crossbox.nix +++ b/crossbox.nix @@ -1,9 +1,24 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: +let + # Using nixos-24.05 for bisq-desktop (last stable release with working bisq-desktop) + # bisq-desktop was removed after 24.05 due to OpenJFX EOL issues + bisqPkgs = import (builtins.fetchTarball { + url = "https://github.com/NixOS/nixpkgs/archive/nixos-24.05.tar.gz"; + sha256 = "0zydsqiaz8qi4zd63zsb2gij2p614cgkcaisnk11wjy3nmiq0x1s"; + }) { system = pkgs.system; }; +in { + environment.systemPackages = with pkgs; [ + bisqPkgs.bisq-desktop # v1.9.15-1.9.17 from nixos-24.05 + bisq2 + llamacpp-rocm-bin-gfx1151 + lmstudio + ]; + networking.hostName = "crossbox"; system.stateVersion = "25.11"; - networking.firewall.allowedTCPPorts = [ 22 ]; + networking.firewall.allowedTCPPorts = [ 22 1234 ]; services.pulseaudio.enable = false; hardware.graphics = { @@ -16,6 +31,17 @@ ]; }; + boot.kernelParams = [ "amdgpu.gttsize=115200" ]; + boot.kernelPackages = pkgs.linuxPackages_latest; + + # ROCm environment for gfx1151 (Strix Halo) + # gfx1151 lacks TensileLibrary support in most ROCm builds, + # so we override to gfx1100 which is close enough and has full library support. + # The strix-halo overlay's llamacpp binaries override this with 11.5.1 in their wrappers. + environment.variables = { + HSA_OVERRIDE_GFX_VERSION = "11.0.0"; + }; + # List services that you want to enable: services.openssh = { enable = true; diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..44638eb --- /dev/null +++ b/flake.nix @@ -0,0 +1,23 @@ +# /etc/nixos/flake.nix +{ + description = "Framework Desktop with Strix Halo"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + strix-halo.url = "github:hellas-ai/nix-strix-halo"; + }; + + outputs = { self, nixpkgs, strix-halo, ... }: { + nixosConfigurations.crossbox = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./configuration.nix + + ({ pkgs, ... }: { + # Apply Strix Halo overlay + nixpkgs.overlays = [ strix-halo.overlays.default ]; + }) + ]; + }; + }; +} \ No newline at end of file diff --git a/nginx.nix b/nginx.nix index 58f2af7..cb13132 100644 --- a/nginx.nix +++ b/nginx.nix @@ -1,21 +1,10 @@ { config, pkgs, lib, ... }: let - # Read multiple API keys from the secrets file at build time - # Note: This embeds the secrets in the Nix store, which is a trade-off - # Alternative: Keep secrets file and read via njs module or external auth service - secretsFile = "/srv/nginx/secrets"; - - # Read API keys from file (one key per line, will be evaluated at build time) - # If the file doesn't exist yet, this will fail - create it first - apiKeysRaw = builtins.readFile secretsFile; - apiKeys = lib.filter (k: k != "") (lib.splitString "\n" apiKeysRaw); - - # Generate map entries for each key - mapEntries = lib.concatMapStringsSep "\n " - (key: ''"Bearer ${key}" "authorized";'') - apiKeys; - + # NOTE: API keys will be loaded from /srv/nginx/secrets at runtime + # This file should contain one Bearer token per line + # The secrets file is read at runtime via include directive instead of build time + # to avoid flake purity issues in { services.nginx = { @@ -31,12 +20,16 @@ in mapHashBucketSize = 128; # Map directive to check Authorization header against multiple keys + # Keys are loaded from /srv/nginx/secrets.map at runtime appendHttpConfig = '' # Check if the Authorization header matches any expected value map $http_authorization $auth_status { default "unauthorized"; "" "no_auth"; - ${mapEntries} + # Add your Bearer tokens here manually, or use include directive + # Format: "Bearer YOUR_TOKEN_HERE" "authorized"; + # You can also create /srv/nginx/secrets.map and include it: + # include /srv/nginx/secrets.map; } ''; @@ -66,7 +59,7 @@ in locations."/blog/private/" = { extraConfig = '' auth_basic "Private Articles"; - auth_basic_user_file /srv/nginx/.htpasswd; + auth_basic_user_file "/srv/nginx/.htpasswd"; # Enable Server Side Includes ssi on; diff --git a/ollama.nix b/ollama.nix index 9f40eee..dc561e3 100644 --- a/ollama.nix +++ b/ollama.nix @@ -16,7 +16,9 @@ ]; # Add CA certificate for Ollama - security.pki.certificateFiles = [ - /home/brimlock/ollama-ca.crt - ]; + # Note: Path must be accessible at runtime, not build time + # You can copy the cert to /etc/nixos/ and reference it, or use a string path + # security.pki.certificateFiles = [ + # "/home/brimlock/ollama-ca.crt" + # ]; }