matthew.binning/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: matthew.binning:5284d6e5966793c838a9ac24b6b4133969880f5e
Branches Tags
matthew.binning:main
...
compare: matthew.binning:f4d38281e4d334093ebd87dabd07145a22b626da
Branches Tags
matthew.binning:main

10 commits
5284d6e596 ... f4d38281e4

Author SHA1 Message Date
matthew.binning
f4d38281e4 feat: Add tor and tor-browser 2026-03-01 16:35:17 -08:00
matthew.binning
5389416a6c feat: Add Claude Code to system packages 2026-03-01 13:01:20 -08:00
matthew.binning
9328ca3717 feat: Add comfy-ui with basic auth 2026-02-16 07:15:15 -08:00
matthew.binning
5aa1d4192f fix: Undirty flake build and comment out rustdesk 2026-02-13 09:51:39 -08:00
matthew.binning
0a9981870d Add RustDesk service and nginx configuration 2026-02-13 08:01:23 -08:00
matthew.binning
651cc2be63 Reenable API key file 2026-02-12 07:47:52 -08:00
matthew.binning
4bad65bdac feat: Add lmstudio to reverse proxy 2026-02-12 07:30:05 -08:00
matthew.binning
cfd3aeecaf feat: Prepare for llama-server when ROCm is fixed upstream 2026-02-11 06:30:34 -08:00
matthew.binning
b717ea973a feat: Convert to a multi-host flake 2026-02-11 05:13:20 -08:00
matthew.binning
c20fd46f9f feat: Get ROCm working with flake 2026-02-10 06:10:33 -08:00
18 changed files with 768 additions and 93 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.gitignore vendored
View file

@ -6,3 +6,5 @@ result-*
# Ignore automatically generated direnv output
.direnv
comfy-ui.nix
*.bak

27
configuration.nix
View file

@ -1,16 +1,6 @@
{ config, pkgs, ... }:
let
hostConfigs = {
crossbox = [ ./crossbox.nix ./sdr.nix ./syncthing.nix ./forgejo.nix ./radicale.nix ./ollama.nix ./docuseal.nix ./nginx.nix ];
anvil = [ ./anvil.nix ./sdr.nix ./vpn.nix ./syncthing.nix ./staging.nginx.nix ];
};
in
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
] ++ hostConfigs.anvil;
nix.settings.experimental-features = [ "nix-command" "flakes" ];
nix.gc = {
@ -22,6 +12,7 @@ in
environment.systemPackages = with pkgs; [
cargo
chromium
claude-code
curl
docker-compose
gcc
@ -41,8 +32,9 @@ in
rsync
rustc
tldr
tor # Tor anonymity network
vscodium
# Hyprland essentials
hyprpaper # Wallpaper daemon
hypridle # Idle daemon
@ -144,20 +136,27 @@ in
brightnessctl # Brightness control
pavucontrol # Audio control
networkmanagerapplet # Network manager applet
# File manager and utilities
nautilus
gnome-themes-extra
# Additional tools
libreoffice
grub2_efi
exfatprogs
tor-browser # Tor Browser
];
};
programs.firefox.enable = true;
# Enable Tor service
services.tor = {
enable = true;
client.enable = true;
};
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
@ -208,4 +207,4 @@ in
systemd.targets.suspend.enable = false;
systemd.targets.hibernate.enable = false;
systemd.targets.hybrid-sleep.enable = false;
}
}

53
crossbox.nix
View file

@ -1,53 +0,0 @@
{ config, pkgs, ... }:
{
networking.hostName = "crossbox";
system.stateVersion = "25.11";
networking.firewall.allowedTCPPorts = [ 22 ];
services.pulseaudio.enable = false;
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
rocmPackages.clr.icd # ROCm OpenCL runtime
rocmPackages.clr
rocmPackages.rocminfo
rocmPackages.rocm-runtime
];
};
# List services that you want to enable:
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
};
# Disable automatic suspend.
# Otherwise SSH tunnels and HDMI signals break.
services.logind = {
settings = {
Login = {
HandleLidSwitch = "ignore";
HandleHibernateKey = "ignore";
HandleSuspendKey = "ignore";
HandlePowerKey = "ignore";
};
};
};
virtualisation.docker = {
enable = true;
autoPrune = {
enable = true;
dates = "weekly";
};
rootless = {
enable = true;
setSocketVariable = true;
};
};
}

384
flake.lock generated Normal file
View file

@ -0,0 +1,384 @@
{
"nodes": {
"chaotic": {
"inputs": {
"flake-schemas": "flake-schemas",
"home-manager": "home-manager",
"jovian": "jovian",
"nixpkgs": "nixpkgs_3",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1754907869,
"narHash": "sha256-tzshAAjt0xDjCc/aOgii6PSqePIc2rWYSXF8VnqEhIg=",
"owner": "chaotic-cx",
"repo": "nyx",
"rev": "b5f83e0d7bce67af178f6aaef95853fedf4c00a0",
"type": "github"
},
"original": {
"owner": "chaotic-cx",
"ref": "nyxpkgs-unstable",
"repo": "nyx",
"type": "github"
}
},
"comfyui-nix": {
"inputs": {
"flake-parts": "flake-parts",
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1770501766,
"narHash": "sha256-GWAsk06uDuLoKpvEcEP7h3PdWLhdJCxHM7C96s9X7UA=",
"owner": "utensils",
"repo": "comfyui-nix",
"rev": "dc0e4a2efc036092a98bb20503f827247f36f49a",
"type": "github"
},
"original": {
"owner": "utensils",
"repo": "comfyui-nix",
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"strix-halo",
"nixpkgs"
]
},
"locked": {
"lastModified": 1754971456,
"narHash": "sha256-p04ZnIBGzerSyiY2dNGmookCldhldWAu03y0s3P8CB0=",
"owner": "nix-community",
"repo": "disko",
"rev": "8246829f2e675a46919718f9a64b71afe3bfb22d",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"ec-su-axb35": {
"flake": false,
"locked": {
"lastModified": 1752926484,
"narHash": "sha256-CKMoltjRCvfKF7tJvP+wvwiuy2EpTP3vGbs875ey/7M=",
"owner": "cmetz",
"repo": "ec-su_axb35-linux",
"rev": "1761092d215322a62dee19afab7b4765788611eb",
"type": "github"
},
"original": {
"owner": "cmetz",
"repo": "ec-su_axb35-linux",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1767609335,
"narHash": "sha256-feveD98mQpptwrAEggBQKJTYbvwwglSbOv53uCfH9PY=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "250481aafeb741edfe23d29195671c19b36b6dca",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-schemas": {
"locked": {
"lastModified": 1721999734,
"narHash": "sha256-G5CxYeJVm4lcEtaO87LKzOsVnWeTcHGKbKxNamNWgOw=",
"rev": "0a5c42297d870156d9c57d8f99e476b738dcd982",
"revCount": 75,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/DeterminateSystems/flake-schemas/0.1.5/0190ef2f-61e0-794b-ba14-e82f225e55e6/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/DeterminateSystems/flake-schemas/%3D0.1.5.tar.gz"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"strix-halo",
"chaotic",
"nixpkgs"
]
},
"locked": {
"lastModified": 1754886238,
"narHash": "sha256-LTQomWOwG70lZR+78ZYSZ9sYELWNq3HJ7/tdHzfif/s=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "0d492b89d1993579e63b9dbdaed17fd7824834da",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"jovian": {
"inputs": {
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"strix-halo",
"chaotic",
"nixpkgs"
]
},
"locked": {
"lastModified": 1754639028,
"narHash": "sha256-w1+XzPBAZPbeGLMAgAlOjIquswo6Q42PMep9KSrRzOA=",
"owner": "Jovian-Experiments",
"repo": "Jovian-NixOS",
"rev": "d49809278138d17be77ab0ef5506b26dc477fa62",
"type": "github"
},
"original": {
"owner": "Jovian-Experiments",
"repo": "Jovian-NixOS",
"type": "github"
}
},
"llama-cpp": {
"flake": false,
"locked": {
"lastModified": 1770704370,
"narHash": "sha256-atYUuXBZFbJxmswd694YwHfAWj1NClZ6mXiQbP1ABG8=",
"owner": "ggerganov",
"repo": "llama.cpp",
"rev": "f0bfe54f552f4783588f333b90d73920a57c5096",
"type": "github"
},
"original": {
"owner": "ggerganov",
"ref": "b7984",
"repo": "llama.cpp",
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"strix-halo",
"chaotic",
"jovian",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729697500,
"narHash": "sha256-VFTWrbzDlZyFHHb1AlKRiD/qqCJIripXKiCSFS8fAOY=",
"owner": "zhaofengli",
"repo": "nix-github-actions",
"rev": "e418aeb728b6aa5ca8c5c71974e7159c2df1d8cf",
"type": "github"
},
"original": {
"owner": "zhaofengli",
"ref": "matrix-name",
"repo": "nix-github-actions",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1766902085,
"narHash": "sha256-coBu0ONtFzlwwVBzmjacUQwj3G+lybcZ1oeNSQkgC0M=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c0b0e0fddf73fd517c3471e546c0df87a42d53f4",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1765674936,
"narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1770562336,
"narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d6c71932130818840fc8fe9509cf50be8c64634f",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1754725699,
"narHash": "sha256-iAcj9T/Y+3DBy2J0N+yF9XQQQ8IEb5swLFzs23CdP88=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "85dbfc7aaf52ecb755f87e577ddbe6dbbdbc1054",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1754725699,
"narHash": "sha256-iAcj9T/Y+3DBy2J0N+yF9XQQQ8IEb5swLFzs23CdP88=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "85dbfc7aaf52ecb755f87e577ddbe6dbbdbc1054",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"rocwmma": {
"flake": false,
"locked": {
"lastModified": 1755039337,
"narHash": "sha256-qs6SFRRQHDJjja5GM91y0q5VpX/qzrtcGqdPN4FJMWI=",
"owner": "ROCm",
"repo": "rocWMMA",
"rev": "697624de0919f62f0f42bb237dd45d0296fc2c1a",
"type": "github"
},
"original": {
"owner": "ROCm",
"repo": "rocWMMA",
"type": "github"
}
},
"root": {
"inputs": {
"comfyui-nix": "comfyui-nix",
"nixpkgs": "nixpkgs_2",
"strix-halo": "strix-halo"
}
},
"rust-overlay": {
"inputs": {
"nixpkgs": [
"strix-halo",
"chaotic",
"nixpkgs"
]
},
"locked": {
"lastModified": 1754880555,
"narHash": "sha256-tG6l0wiX8V8IvG4HFYY8IYN5vpNAxQ+UWunjjpE6SqU=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "17c591a44e4eb77f05f27cd37e1cfc3f219c7fc4",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"strix-halo": {
"inputs": {
"chaotic": "chaotic",
"disko": "disko",
"ec-su-axb35": "ec-su-axb35",
"flake-utils": "flake-utils",
"llama-cpp": "llama-cpp",
"nixpkgs": "nixpkgs_4",
"rocwmma": "rocwmma"
},
"locked": {
"lastModified": 1766179824,
"narHash": "sha256-11kC3d0GrpodpZ8yVJFsgNjdUlw99yvAa9Q2LOHtQWw=",
"owner": "hellas-ai",
"repo": "nix-strix-halo",
"rev": "3d090ab99f3b86b33f10c30c283225fbf4f16628",
"type": "github"
},
"original": {
"owner": "hellas-ai",
"repo": "nix-strix-halo",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

42
flake.nix Normal file
View file

@ -0,0 +1,42 @@
{
description = "NixOS configurations for crossbox and anvil";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
strix-halo.url = "github:hellas-ai/nix-strix-halo";
strix-halo.inputs.llama-cpp.url = "github:ggerganov/llama.cpp/b7984";
comfyui-nix.url = "github:utensils/comfyui-nix";
};
outputs = { self, nixpkgs, strix-halo, comfyui-nix, ... }:
let
mkHost = { hostDir, extraModules ? [], overlays ? [], extraSpecialArgs ? {} }:
nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = extraSpecialArgs;
modules = [
./configuration.nix
hostDir
({ ... }: { nixpkgs.overlays = overlays; })
] ++ extraModules;
};
in {
nixosConfigurations.crossbox = mkHost {
hostDir = ./hosts/crossbox;
overlays = [ strix-halo.overlays.default comfyui-nix.overlays.default ];
extraModules = [
./sdr.nix
./syncthing.nix
comfyui-nix.nixosModules.default
];
extraSpecialArgs = {
strix-halo-pkgs = strix-halo.packages.x86_64-linux;
};
};
nixosConfigurations.anvil = mkHost {
hostDir = ./hosts/anvil;
extraModules = [ ./sdr.nix ./syncthing.nix ];
};
};
}

7
anvil.nix → hosts/anvil/default.nix
View file

@ -1,10 +1,15 @@
{ config, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
# ./nginx.nix # TODO
];
networking.hostName = "anvil";
system.stateVersion = "24.11";
networking.firewall.allowedTCPPorts = [ 8384 ];
hardware.pulseaudio.enable = false;
services.pulseaudio.enable = false;
boot.initrd.luks.devices."luks-1f261d60-dfb4-4f63-9c77-f331a007108b".device = "/dev/disk/by-uuid/1f261d60-dfb4-4f63-9c77-f331a007108b";

20
hosts/anvil/hardware-configuration.nix Normal file
View file

@ -0,0 +1,20 @@
# TODO: Replace with actual hardware-configuration.nix from anvil machine
# Run on anvil: nixos-generate-config --show-hardware-config
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
# Placeholder filesystem - replace with actual values from anvil
fileSystems."/" = {
device = "/dev/disk/by-uuid/PLACEHOLDER";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/PLACEHOLDER";
fsType = "vfat";
};
}

5
hosts/anvil/nginx.nix Normal file
View file

@ -0,0 +1,5 @@
# TODO: Configure anvil's nginx
{ config, pkgs, lib, ... }:
{
}

9
hosts/crossbox/comfyui.nix Normal file
View file

@ -0,0 +1,9 @@
{ config, pkgs, lib, ... }:
{
services.comfyui = {
enable = true;
listenAddress = "127.0.0.1";
port = 8188;
};
}

92
hosts/crossbox/default.nix Normal file
View file

@ -0,0 +1,92 @@
{ config, pkgs, lib, strix-halo-pkgs, ... }:
let
# Using nixos-24.05 for bisq-desktop (last stable release with working bisq-desktop)
# bisq-desktop was removed after 24.05 due to OpenJFX EOL issues
bisqPkgs = import (builtins.fetchTarball {
url = "https://github.com/NixOS/nixpkgs/archive/nixos-24.05.tar.gz";
sha256 = "0zydsqiaz8qi4zd63zsb2gij2p614cgkcaisnk11wjy3nmiq0x1s";
}) { system = pkgs.system; };
in
{
imports = [
./hardware-configuration.nix
./nginx.nix
./forgejo.nix
./radicale.nix
./ollama.nix
./comfyui.nix
#./rustdesk.nix
# ./llama-server.nix # disabled: source build broken (LLVM 22 vs 19 mismatch in strix-halo overlay)
# ./docuseal.nix
];
environment.systemPackages = with pkgs; [
bisqPkgs.bisq-desktop # v1.9.15-1.9.17 from nixos-24.05
bisq2
llamacpp-rocm-bin-gfx1151 # prebuilt b1025; source build broken (LLVM mismatch)
# strix-halo-pkgs.llamacpp-rocm-gfx1151 # source-built, re-enable when overlay fixes LLVM 22/19 mismatch
lmstudio
];
networking.hostName = "crossbox";
system.stateVersion = "25.11";
networking.firewall.allowedTCPPorts = [ 22 1234 ];
services.pulseaudio.enable = false;
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
rocmPackages.clr.icd # ROCm OpenCL runtime
rocmPackages.clr
rocmPackages.rocminfo
rocmPackages.rocm-runtime
];
};
boot.kernelParams = [ "amdgpu.gttsize=115200" ];
boot.kernelPackages = pkgs.linuxPackages_latest;
# ROCm environment for gfx1151 (Strix Halo)
# gfx1151 lacks TensileLibrary support in most ROCm builds,
# so we override to gfx1100 which is close enough and has full library support.
# The strix-halo overlay's llamacpp binaries override this with 11.5.1 in their wrappers.
environment.variables = {
HSA_OVERRIDE_GFX_VERSION = "11.0.0";
};
# List services that you want to enable:
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
};
# Disable automatic suspend.
# Otherwise SSH tunnels and HDMI signals break.
services.logind = {
settings = {
Login = {
HandleLidSwitch = "ignore";
HandleHibernateKey = "ignore";
HandleSuspendKey = "ignore";
HandlePowerKey = "ignore";
};
};
};
virtualisation.docker = {
enable = true;
autoPrune = {
enable = true;
dates = "weekly";
};
rootless = {
enable = true;
setSocketVariable = true;
};
};
}

0
docuseal.nix → hosts/crossbox/docuseal.nix
View file

0
forgejo.nix → hosts/crossbox/forgejo.nix
View file

39
hosts/crossbox/hardware-configuration.nix Normal file
View file

@ -0,0 +1,39 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usbhid" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/da4a61ca-f2f7-47d3-a902-a898e2cf1dfc";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/36FB-9CD5";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
fileSystems."/data" =
{ device = "/dev/disk/by-uuid/1e785349-ecd9-4b0f-9dc6-f6e3a6fe95f1";
fsType = "ext4";
options = [ "noatime" "users" "nofail" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/69fc5898-4a33-431e-bea6-3ce7352312bf"; }
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

47
hosts/crossbox/llama-server.nix Normal file
View file

@ -0,0 +1,47 @@
{ config, pkgs, lib, strix-halo-pkgs, ... }:
{
# Systemd service for llama-server with GLM-4.7-Flash
# Replaces Calvin's Docker-based setup
systemd.services.llama-server = {
description = "llama.cpp server (GLM-4.7-Flash)";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment = {
HSA_OVERRIDE_GFX_VERSION = "11.5.1";
};
serviceConfig = {
# Source-built llamacpp with ROCm for gfx1151, tracks flake's llama-cpp input (b7984)
ExecStart = ''
${strix-halo-pkgs.llamacpp-rocm-gfx1151}/bin/llama-server \
-m /srv/llama/models/GLM-4.7-Flash-Q4_K_S.gguf \
--fa \
-c 16384 \
--port 25566 \
--host 0.0.0.0 \
--jinja \
--chat-template-file /srv/llama/templates/glminstruct.template
'';
Restart = "on-failure";
RestartSec = 5;
# Run as a dedicated user
DynamicUser = true;
StateDirectory = "llama-server";
# Read-only access to model and template files
ReadOnlyPaths = [ "/srv/llama" ];
};
};
# Ensure directories exist
systemd.tmpfiles.rules = [
"d /srv/llama 0755 root root -"
"d /srv/llama/models 0755 root root -"
"d /srv/llama/templates 0755 root root -"
];
networking.firewall.allowedTCPPorts = [ 25566 ];
}

118
nginx.nix → hosts/crossbox/nginx.nix
View file

@ -1,21 +1,10 @@
{ config, pkgs, lib, ... }:
let
# Read multiple API keys from the secrets file at build time
# Note: This embeds the secrets in the Nix store, which is a trade-off
# Alternative: Keep secrets file and read via njs module or external auth service
secretsFile = "/srv/nginx/secrets";
# Read API keys from file (one key per line, will be evaluated at build time)
# If the file doesn't exist yet, this will fail - create it first
apiKeysRaw = builtins.readFile secretsFile;
apiKeys = lib.filter (k: k != "") (lib.splitString "\n" apiKeysRaw);
# Generate map entries for each key
mapEntries = lib.concatMapStringsSep "\n "
(key: ''"Bearer ${key}" "authorized";'')
apiKeys;
# NOTE: API keys will be loaded from /srv/nginx/secrets at runtime
# This file should contain one Bearer token per line
# The secrets file is read at runtime via include directive instead of build time
# to avoid flake purity issues
in
{
services.nginx = {
@ -31,12 +20,15 @@ in
mapHashBucketSize = 128;
# Map directive to check Authorization header against multiple keys
# Keys are loaded from /srv/nginx/secrets.map at runtime
appendHttpConfig = ''
# Check if the Authorization header matches any expected value
map $http_authorization $auth_status {
default "unauthorized";
"" "no_auth";
${mapEntries}
# Tokens loaded from file to keep secrets out of the nix store
# Format: "Bearer YOUR_TOKEN_HERE" "authorized";
include /srv/nginx/secrets.map;
}
'';
@ -66,7 +58,7 @@ in
locations."/blog/private/" = {
extraConfig = ''
auth_basic "Private Articles";
auth_basic_user_file /srv/nginx/.htpasswd;
auth_basic_user_file "/srv/nginx/.htpasswd";
# Enable Server Side Includes
ssi on;
@ -99,11 +91,16 @@ in
# Proxy to Ollama (only if authorized)
proxy_pass http://localhost:11434;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Connection "";
# Disable buffering for streaming (SSE) responses
proxy_buffering off;
# Timeouts for long-running requests
proxy_read_timeout 300s;
proxy_connect_timeout 300s;
@ -119,13 +116,59 @@ in
};
};
# LM Studio with Bearer token authentication
# Proxies https://lmstudio.binning.net/v1 to http://localhost:1234/v1.
"lmstudio.binning.net" = {
forceSSL = true;
sslCertificate = "/srv/nginx/binning.net.pem";
sslCertificateKey = "/srv/nginx/binning.net.key.pem";
locations."/" = {
extraConfig = ''
# Check auth status
if ($auth_status = "no_auth") {
return 401 "Unauthorized: Bearer token required\n";
}
if ($auth_status = "unauthorized") {
return 403 "Forbidden: Invalid API key\n";
}
# Proxy to LM Studio (running on port 1234)
# Note: The trailing slash is important - it preserves the /v1 path
proxy_pass http://localhost:1234/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Connection "";
# Disable buffering for streaming (SSE) responses
proxy_buffering off;
# Timeouts for long-running requests
proxy_read_timeout 300s;
proxy_connect_timeout 300s;
proxy_send_timeout 300s;
# Allow large request bodies
client_max_body_size 100M;
# Logging
access_log /var/log/nginx/lmstudio_access.log;
error_log /var/log/nginx/lmstudio_error.log;
'';
};
};
# Forgejo
"forgejo.binning.net" = {
forceSSL = true;
#enableACME = true;
sslCertificate = "/srv/nginx/binning.net.pem";
sslCertificateKey = "/srv/nginx/binning.net.key.pem";
sslCertificate = "/srv/nginx/binning.net.pem";
sslCertificateKey = "/srv/nginx/binning.net.key.pem";
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
@ -138,8 +181,8 @@ in
forceSSL = true;
#enableACME = true;
sslCertificate = "/srv/nginx/binning.net.pem";
sslCertificateKey = "/srv/nginx/binning.net.key.pem";
sslCertificate = "/srv/nginx/binning.net.pem";
sslCertificateKey = "/srv/nginx/binning.net.key.pem";
locations."/" = {
proxyPass = "http://127.0.0.1:5232";
@ -163,6 +206,37 @@ in
proxyWebsockets = true;
};
};
# ComfyUI with HTTP basic authentication
"comfyui.binning.net" = {
forceSSL = true;
sslCertificate = "/srv/nginx/binning.net.pem";
sslCertificateKey = "/srv/nginx/binning.net.key.pem";
locations."/" = {
proxyPass = "http://127.0.0.1:8188";
proxyWebsockets = true;
extraConfig = ''
auth_basic "ComfyUI";
auth_basic_user_file "/srv/nginx/.htpasswd";
'';
};
};
# RustDesk
"rustdesk.binning.net" = {
forceSSL = true;
#enableACME = true;
sslCertificate = "/srv/nginx/binning.net.pem";
sslCertificateKey = "/srv/nginx/binning.net.key.pem";
locations."/" = {
proxyPass = "http://127.0.0.1:16484";
proxyWebsockets = true;
};
};
};
};

8
ollama.nix → hosts/crossbox/ollama.nix
View file

@ -16,7 +16,9 @@
];
# Add CA certificate for Ollama
security.pki.certificateFiles = [
/home/brimlock/ollama-ca.crt
];
# Note: Path must be accessible at runtime, not build time
# You can copy the cert to /etc/nixos/ and reference it, or use a string path
# security.pki.certificateFiles = [
# "/home/brimlock/ollama-ca.crt"
# ];
}

0
radicale.nix → hosts/crossbox/radicale.nix
View file

8
hosts/crossbox/rustdesk.nix Normal file
View file

@ -0,0 +1,8 @@
{ config, pkgs, lib, ... }:
{
services.rustdesk-server = {
enable = true;
openFirewall = true;
};
}