feat: Get ROCm working with flake

.gitignore

@@ -6,3 +6,6 @@ result-*
 # Ignore automatically generated direnv output
 .direnv
 
+hardware-configuration.nix
+comfy-ui.nix
+*.bak

configuration.nix

@@ -2,7 +2,8 @@
 
 let
   hostConfigs = {
-    crossbox = [ ./crossbox.nix ./sdr.nix ./syncthing.nix ./forgejo.nix ./radicale.nix ./ollama.nix ./docuseal.nix ./nginx.nix ];
+    crossbox = [ ./crossbox.nix ./sdr.nix ./syncthing.nix ./forgejo.nix ./radicale.nix ./ollama.nix #./docuseal.nix
+                   ./nginx.nix ];
     anvil = [ ./anvil.nix ./sdr.nix ./vpn.nix ./syncthing.nix ./staging.nginx.nix ];
   };
 in
@@ -10,7 +11,7 @@ in
   imports =
     [ # Include the results of the hardware scan.
       ./hardware-configuration.nix
-    ] ++ hostConfigs.anvil;
+    ] ++ hostConfigs.crossbox;
 
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
   nix.gc = {

crossbox.nix

@@ -1,9 +1,24 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 
+let
+  # Using nixos-24.05 for bisq-desktop (last stable release with working bisq-desktop)
+  # bisq-desktop was removed after 24.05 due to OpenJFX EOL issues
+  bisqPkgs = import (builtins.fetchTarball {
+    url = "https://github.com/NixOS/nixpkgs/archive/nixos-24.05.tar.gz";
+    sha256 = "0zydsqiaz8qi4zd63zsb2gij2p614cgkcaisnk11wjy3nmiq0x1s";
+  }) { system = pkgs.system; };
+in
 {
+  environment.systemPackages = with pkgs; [
+    bisqPkgs.bisq-desktop  # v1.9.15-1.9.17 from nixos-24.05
+    bisq2
+    llamacpp-rocm-bin-gfx1151
+    lmstudio
+  ];
+
   networking.hostName = "crossbox";
   system.stateVersion = "25.11";
-  networking.firewall.allowedTCPPorts = [ 22 ];
+  networking.firewall.allowedTCPPorts = [ 22 1234 ];
   services.pulseaudio.enable = false;
 
   hardware.graphics = {
@@ -16,6 +31,17 @@
     ];
   };
 
+  boot.kernelParams = [ "amdgpu.gttsize=115200" ];
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  # ROCm environment for gfx1151 (Strix Halo)
+  # gfx1151 lacks TensileLibrary support in most ROCm builds,
+  # so we override to gfx1100 which is close enough and has full library support.
+  # The strix-halo overlay's llamacpp binaries override this with 11.5.1 in their wrappers.
+  environment.variables = {
+    HSA_OVERRIDE_GFX_VERSION = "11.0.0";
+  };
+
   # List services that you want to enable:
   services.openssh = {
     enable = true;

flake.nix

@@ -0,0 +1,23 @@
+# /etc/nixos/flake.nix
+{
+  description = "Framework Desktop with Strix Halo";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    strix-halo.url = "github:hellas-ai/nix-strix-halo";
+  };
+
+  outputs = { self, nixpkgs, strix-halo, ... }: {
+    nixosConfigurations.crossbox = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [
+        ./configuration.nix
+        
+        ({ pkgs, ... }: {
+          # Apply Strix Halo overlay
+          nixpkgs.overlays = [ strix-halo.overlays.default ];
+        })
+      ];
+    };
+  };
+}

nginx.nix

@@ -1,21 +1,10 @@
 { config, pkgs, lib, ... }:
 
 let
-  # Read multiple API keys from the secrets file at build time
-  # Note: This embeds the secrets in the Nix store, which is a trade-off
-  # Alternative: Keep secrets file and read via njs module or external auth service
-  secretsFile = "/srv/nginx/secrets";
-  
-  # Read API keys from file (one key per line, will be evaluated at build time)
-  # If the file doesn't exist yet, this will fail - create it first
-  apiKeysRaw = builtins.readFile secretsFile;
-  apiKeys = lib.filter (k: k != "") (lib.splitString "\n" apiKeysRaw);
-  
-  # Generate map entries for each key
-  mapEntries = lib.concatMapStringsSep "\n    " 
-    (key: ''"Bearer ${key}" "authorized";'') 
-    apiKeys;
-  
+  # NOTE: API keys will be loaded from /srv/nginx/secrets at runtime
+  # This file should contain one Bearer token per line
+  # The secrets file is read at runtime via include directive instead of build time
+  # to avoid flake purity issues
 in
 {
   services.nginx = {
@@ -31,12 +20,16 @@ in
     mapHashBucketSize = 128;
     
     # Map directive to check Authorization header against multiple keys
+    # Keys are loaded from /srv/nginx/secrets.map at runtime
     appendHttpConfig = ''
       # Check if the Authorization header matches any expected value
       map $http_authorization $auth_status {
         default "unauthorized";
         "" "no_auth";
-        ${mapEntries}
+        # Add your Bearer tokens here manually, or use include directive
+        # Format: "Bearer YOUR_TOKEN_HERE" "authorized";
+        # You can also create /srv/nginx/secrets.map and include it:
+        # include /srv/nginx/secrets.map;
       }
     '';
     
@@ -66,7 +59,7 @@ in
         locations."/blog/private/" = {
           extraConfig = ''
             auth_basic "Private Articles";
-            auth_basic_user_file /srv/nginx/.htpasswd;
+            auth_basic_user_file "/srv/nginx/.htpasswd";
             
             # Enable Server Side Includes
             ssi on;

ollama.nix

@@ -16,7 +16,9 @@
   ];
   
   # Add CA certificate for Ollama
-  security.pki.certificateFiles = [
-    /home/brimlock/ollama-ca.crt
-  ];
+  # Note: Path must be accessible at runtime, not build time
+  # You can copy the cert to /etc/nixos/ and reference it, or use a string path
+  # security.pki.certificateFiles = [
+  #   "/home/brimlock/ollama-ca.crt"
+  # ];
 }