diff --git a/.gitignore b/.gitignore index fd03719..3cb44c3 100644 --- a/.gitignore +++ b/.gitignore @@ -6,5 +6,3 @@ result-* # Ignore automatically generated direnv output .direnv -comfy-ui.nix -*.bak diff --git a/hosts/anvil/default.nix b/anvil.nix similarity index 78% rename from hosts/anvil/default.nix rename to anvil.nix index ab180b1..7b718ef 100644 --- a/hosts/anvil/default.nix +++ b/anvil.nix @@ -1,15 +1,10 @@ { config, pkgs, ... }: { - imports = [ - ./hardware-configuration.nix - # ./nginx.nix # TODO - ]; - networking.hostName = "anvil"; system.stateVersion = "24.11"; networking.firewall.allowedTCPPorts = [ 8384 ]; - services.pulseaudio.enable = false; + hardware.pulseaudio.enable = false; boot.initrd.luks.devices."luks-1f261d60-dfb4-4f63-9c77-f331a007108b".device = "/dev/disk/by-uuid/1f261d60-dfb4-4f63-9c77-f331a007108b"; diff --git a/configuration.nix b/configuration.nix index e108be3..e2d4062 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,6 +1,16 @@ { config, pkgs, ... }: +let + hostConfigs = { + crossbox = [ ./crossbox.nix ./sdr.nix ./syncthing.nix ./forgejo.nix ./radicale.nix ./ollama.nix ./docuseal.nix ./nginx.nix ]; + anvil = [ ./anvil.nix ./sdr.nix ./vpn.nix ./syncthing.nix ./staging.nginx.nix ]; + }; +in { + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ] ++ hostConfigs.anvil; nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.gc = { @@ -12,7 +22,6 @@ environment.systemPackages = with pkgs; [ cargo chromium - claude-code curl docker-compose gcc @@ -32,9 +41,8 @@ rsync rustc tldr - tor # Tor anonymity network vscodium - + # Hyprland essentials hyprpaper # Wallpaper daemon hypridle # Idle daemon @@ -136,27 +144,20 @@ brightnessctl # Brightness control pavucontrol # Audio control networkmanagerapplet # Network manager applet - + # File manager and utilities nautilus gnome-themes-extra - + # Additional tools libreoffice grub2_efi exfatprogs - tor-browser # Tor Browser ]; }; programs.firefox.enable = true; - # Enable Tor service - services.tor = { - enable = true; - client.enable = true; - }; - # Allow unfree packages nixpkgs.config.allowUnfree = true; @@ -207,4 +208,4 @@ systemd.targets.suspend.enable = false; systemd.targets.hibernate.enable = false; systemd.targets.hybrid-sleep.enable = false; -} +} \ No newline at end of file diff --git a/crossbox.nix b/crossbox.nix new file mode 100644 index 0000000..952e216 --- /dev/null +++ b/crossbox.nix @@ -0,0 +1,53 @@ +{ config, pkgs, ... }: + +{ + networking.hostName = "crossbox"; + system.stateVersion = "25.11"; + networking.firewall.allowedTCPPorts = [ 22 ]; + services.pulseaudio.enable = false; + + hardware.graphics = { + enable = true; + extraPackages = with pkgs; [ + rocmPackages.clr.icd # ROCm OpenCL runtime + rocmPackages.clr + rocmPackages.rocminfo + rocmPackages.rocm-runtime + ]; + }; + + # List services that you want to enable: + services.openssh = { + enable = true; + settings = { + PermitRootLogin = "no"; + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + }; + }; + + # Disable automatic suspend. + # Otherwise SSH tunnels and HDMI signals break. + services.logind = { + settings = { + Login = { + HandleLidSwitch = "ignore"; + HandleHibernateKey = "ignore"; + HandleSuspendKey = "ignore"; + HandlePowerKey = "ignore"; + }; + }; + }; + + virtualisation.docker = { + enable = true; + autoPrune = { + enable = true; + dates = "weekly"; + }; + rootless = { + enable = true; + setSocketVariable = true; + }; + }; +} diff --git a/hosts/crossbox/docuseal.nix b/docuseal.nix similarity index 100% rename from hosts/crossbox/docuseal.nix rename to docuseal.nix diff --git a/flake.lock b/flake.lock deleted file mode 100644 index 6de247f..0000000 --- a/flake.lock +++ /dev/null @@ -1,384 +0,0 @@ -{ - "nodes": { - "chaotic": { - "inputs": { - "flake-schemas": "flake-schemas", - "home-manager": "home-manager", - "jovian": "jovian", - "nixpkgs": "nixpkgs_3", - "rust-overlay": "rust-overlay" - }, - "locked": { - "lastModified": 1754907869, - "narHash": "sha256-tzshAAjt0xDjCc/aOgii6PSqePIc2rWYSXF8VnqEhIg=", - "owner": "chaotic-cx", - "repo": "nyx", - "rev": "b5f83e0d7bce67af178f6aaef95853fedf4c00a0", - "type": "github" - }, - "original": { - "owner": "chaotic-cx", - "ref": "nyxpkgs-unstable", - "repo": "nyx", - "type": "github" - } - }, - "comfyui-nix": { - "inputs": { - "flake-parts": "flake-parts", - "nixpkgs": "nixpkgs" - }, - "locked": { - "lastModified": 1770501766, - "narHash": "sha256-GWAsk06uDuLoKpvEcEP7h3PdWLhdJCxHM7C96s9X7UA=", - "owner": "utensils", - "repo": "comfyui-nix", - "rev": "dc0e4a2efc036092a98bb20503f827247f36f49a", - "type": "github" - }, - "original": { - "owner": "utensils", - "repo": "comfyui-nix", - "type": "github" - } - }, - "disko": { - "inputs": { - "nixpkgs": [ - "strix-halo", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1754971456, - "narHash": "sha256-p04ZnIBGzerSyiY2dNGmookCldhldWAu03y0s3P8CB0=", - "owner": "nix-community", - "repo": "disko", - "rev": "8246829f2e675a46919718f9a64b71afe3bfb22d", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, - "ec-su-axb35": { - "flake": false, - "locked": { - "lastModified": 1752926484, - "narHash": "sha256-CKMoltjRCvfKF7tJvP+wvwiuy2EpTP3vGbs875ey/7M=", - "owner": "cmetz", - "repo": "ec-su_axb35-linux", - "rev": "1761092d215322a62dee19afab7b4765788611eb", - "type": "github" - }, - "original": { - "owner": "cmetz", - "repo": "ec-su_axb35-linux", - "type": "github" - } - }, - "flake-parts": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib" - }, - "locked": { - "lastModified": 1767609335, - "narHash": "sha256-feveD98mQpptwrAEggBQKJTYbvwwglSbOv53uCfH9PY=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "250481aafeb741edfe23d29195671c19b36b6dca", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-schemas": { - "locked": { - "lastModified": 1721999734, - "narHash": "sha256-G5CxYeJVm4lcEtaO87LKzOsVnWeTcHGKbKxNamNWgOw=", - "rev": "0a5c42297d870156d9c57d8f99e476b738dcd982", - "revCount": 75, - "type": "tarball", - "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/flake-schemas/0.1.5/0190ef2f-61e0-794b-ba14-e82f225e55e6/source.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://flakehub.com/f/DeterminateSystems/flake-schemas/%3D0.1.5.tar.gz" - } - }, - "flake-utils": { - "inputs": { - "systems": "systems" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "strix-halo", - "chaotic", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1754886238, - "narHash": "sha256-LTQomWOwG70lZR+78ZYSZ9sYELWNq3HJ7/tdHzfif/s=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "0d492b89d1993579e63b9dbdaed17fd7824834da", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "jovian": { - "inputs": { - "nix-github-actions": "nix-github-actions", - "nixpkgs": [ - "strix-halo", - "chaotic", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1754639028, - "narHash": "sha256-w1+XzPBAZPbeGLMAgAlOjIquswo6Q42PMep9KSrRzOA=", - "owner": "Jovian-Experiments", - "repo": "Jovian-NixOS", - "rev": "d49809278138d17be77ab0ef5506b26dc477fa62", - "type": "github" - }, - "original": { - "owner": "Jovian-Experiments", - "repo": "Jovian-NixOS", - "type": "github" - } - }, - "llama-cpp": { - "flake": false, - "locked": { - "lastModified": 1770704370, - "narHash": "sha256-atYUuXBZFbJxmswd694YwHfAWj1NClZ6mXiQbP1ABG8=", - "owner": "ggerganov", - "repo": "llama.cpp", - "rev": "f0bfe54f552f4783588f333b90d73920a57c5096", - "type": "github" - }, - "original": { - "owner": "ggerganov", - "ref": "b7984", - "repo": "llama.cpp", - "type": "github" - } - }, - "nix-github-actions": { - "inputs": { - "nixpkgs": [ - "strix-halo", - "chaotic", - "jovian", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1729697500, - "narHash": "sha256-VFTWrbzDlZyFHHb1AlKRiD/qqCJIripXKiCSFS8fAOY=", - "owner": "zhaofengli", - "repo": "nix-github-actions", - "rev": "e418aeb728b6aa5ca8c5c71974e7159c2df1d8cf", - "type": "github" - }, - "original": { - "owner": "zhaofengli", - "ref": "matrix-name", - "repo": "nix-github-actions", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1766902085, - "narHash": "sha256-coBu0ONtFzlwwVBzmjacUQwj3G+lybcZ1oeNSQkgC0M=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "c0b0e0fddf73fd517c3471e546c0df87a42d53f4", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-lib": { - "locked": { - "lastModified": 1765674936, - "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1770562336, - "narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "d6c71932130818840fc8fe9509cf50be8c64634f", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1754725699, - "narHash": "sha256-iAcj9T/Y+3DBy2J0N+yF9XQQQ8IEb5swLFzs23CdP88=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "85dbfc7aaf52ecb755f87e577ddbe6dbbdbc1054", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_4": { - "locked": { - "lastModified": 1754725699, - "narHash": "sha256-iAcj9T/Y+3DBy2J0N+yF9XQQQ8IEb5swLFzs23CdP88=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "85dbfc7aaf52ecb755f87e577ddbe6dbbdbc1054", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "rocwmma": { - "flake": false, - "locked": { - "lastModified": 1755039337, - "narHash": "sha256-qs6SFRRQHDJjja5GM91y0q5VpX/qzrtcGqdPN4FJMWI=", - "owner": "ROCm", - "repo": "rocWMMA", - "rev": "697624de0919f62f0f42bb237dd45d0296fc2c1a", - "type": "github" - }, - "original": { - "owner": "ROCm", - "repo": "rocWMMA", - "type": "github" - } - }, - "root": { - "inputs": { - "comfyui-nix": "comfyui-nix", - "nixpkgs": "nixpkgs_2", - "strix-halo": "strix-halo" - } - }, - "rust-overlay": { - "inputs": { - "nixpkgs": [ - "strix-halo", - "chaotic", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1754880555, - "narHash": "sha256-tG6l0wiX8V8IvG4HFYY8IYN5vpNAxQ+UWunjjpE6SqU=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "17c591a44e4eb77f05f27cd37e1cfc3f219c7fc4", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, - "strix-halo": { - "inputs": { - "chaotic": "chaotic", - "disko": "disko", - "ec-su-axb35": "ec-su-axb35", - "flake-utils": "flake-utils", - "llama-cpp": "llama-cpp", - "nixpkgs": "nixpkgs_4", - "rocwmma": "rocwmma" - }, - "locked": { - "lastModified": 1766179824, - "narHash": "sha256-11kC3d0GrpodpZ8yVJFsgNjdUlw99yvAa9Q2LOHtQWw=", - "owner": "hellas-ai", - "repo": "nix-strix-halo", - "rev": "3d090ab99f3b86b33f10c30c283225fbf4f16628", - "type": "github" - }, - "original": { - "owner": "hellas-ai", - "repo": "nix-strix-halo", - "type": "github" - } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/flake.nix b/flake.nix deleted file mode 100644 index 0e4a036..0000000 --- a/flake.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ - description = "NixOS configurations for crossbox and anvil"; - - inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; - strix-halo.url = "github:hellas-ai/nix-strix-halo"; - strix-halo.inputs.llama-cpp.url = "github:ggerganov/llama.cpp/b7984"; - comfyui-nix.url = "github:utensils/comfyui-nix"; - }; - - outputs = { self, nixpkgs, strix-halo, comfyui-nix, ... }: - let - mkHost = { hostDir, extraModules ? [], overlays ? [], extraSpecialArgs ? {} }: - nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = extraSpecialArgs; - modules = [ - ./configuration.nix - hostDir - ({ ... }: { nixpkgs.overlays = overlays; }) - ] ++ extraModules; - }; - in { - nixosConfigurations.crossbox = mkHost { - hostDir = ./hosts/crossbox; - overlays = [ strix-halo.overlays.default comfyui-nix.overlays.default ]; - extraModules = [ - ./sdr.nix - ./syncthing.nix - comfyui-nix.nixosModules.default - ]; - extraSpecialArgs = { - strix-halo-pkgs = strix-halo.packages.x86_64-linux; - }; - }; - - nixosConfigurations.anvil = mkHost { - hostDir = ./hosts/anvil; - extraModules = [ ./sdr.nix ./syncthing.nix ]; - }; - }; -} diff --git a/hosts/crossbox/forgejo.nix b/forgejo.nix similarity index 100% rename from hosts/crossbox/forgejo.nix rename to forgejo.nix diff --git a/hosts/anvil/hardware-configuration.nix b/hosts/anvil/hardware-configuration.nix deleted file mode 100644 index 661efab..0000000 --- a/hosts/anvil/hardware-configuration.nix +++ /dev/null @@ -1,20 +0,0 @@ -# TODO: Replace with actual hardware-configuration.nix from anvil machine -# Run on anvil: nixos-generate-config --show-hardware-config -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; - - # Placeholder filesystem - replace with actual values from anvil - fileSystems."/" = { - device = "/dev/disk/by-uuid/PLACEHOLDER"; - fsType = "ext4"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/PLACEHOLDER"; - fsType = "vfat"; - }; -} diff --git a/hosts/anvil/nginx.nix b/hosts/anvil/nginx.nix deleted file mode 100644 index ea17920..0000000 --- a/hosts/anvil/nginx.nix +++ /dev/null @@ -1,5 +0,0 @@ -# TODO: Configure anvil's nginx -{ config, pkgs, lib, ... }: - -{ -} diff --git a/hosts/crossbox/comfyui.nix b/hosts/crossbox/comfyui.nix deleted file mode 100644 index 22fb2ca..0000000 --- a/hosts/crossbox/comfyui.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - services.comfyui = { - enable = true; - listenAddress = "127.0.0.1"; - port = 8188; - }; -} diff --git a/hosts/crossbox/default.nix b/hosts/crossbox/default.nix deleted file mode 100644 index 56beb8b..0000000 --- a/hosts/crossbox/default.nix +++ /dev/null @@ -1,92 +0,0 @@ -{ config, pkgs, lib, strix-halo-pkgs, ... }: - -let - # Using nixos-24.05 for bisq-desktop (last stable release with working bisq-desktop) - # bisq-desktop was removed after 24.05 due to OpenJFX EOL issues - bisqPkgs = import (builtins.fetchTarball { - url = "https://github.com/NixOS/nixpkgs/archive/nixos-24.05.tar.gz"; - sha256 = "0zydsqiaz8qi4zd63zsb2gij2p614cgkcaisnk11wjy3nmiq0x1s"; - }) { system = pkgs.system; }; -in -{ - imports = [ - ./hardware-configuration.nix - ./nginx.nix - ./forgejo.nix - ./radicale.nix - ./ollama.nix - ./comfyui.nix - #./rustdesk.nix - # ./llama-server.nix # disabled: source build broken (LLVM 22 vs 19 mismatch in strix-halo overlay) - # ./docuseal.nix - ]; - - environment.systemPackages = with pkgs; [ - bisqPkgs.bisq-desktop # v1.9.15-1.9.17 from nixos-24.05 - bisq2 - llamacpp-rocm-bin-gfx1151 # prebuilt b1025; source build broken (LLVM mismatch) - # strix-halo-pkgs.llamacpp-rocm-gfx1151 # source-built, re-enable when overlay fixes LLVM 22/19 mismatch - lmstudio - ]; - - networking.hostName = "crossbox"; - system.stateVersion = "25.11"; - networking.firewall.allowedTCPPorts = [ 22 1234 ]; - services.pulseaudio.enable = false; - - hardware.graphics = { - enable = true; - extraPackages = with pkgs; [ - rocmPackages.clr.icd # ROCm OpenCL runtime - rocmPackages.clr - rocmPackages.rocminfo - rocmPackages.rocm-runtime - ]; - }; - - boot.kernelParams = [ "amdgpu.gttsize=115200" ]; - boot.kernelPackages = pkgs.linuxPackages_latest; - - # ROCm environment for gfx1151 (Strix Halo) - # gfx1151 lacks TensileLibrary support in most ROCm builds, - # so we override to gfx1100 which is close enough and has full library support. - # The strix-halo overlay's llamacpp binaries override this with 11.5.1 in their wrappers. - environment.variables = { - HSA_OVERRIDE_GFX_VERSION = "11.0.0"; - }; - - # List services that you want to enable: - services.openssh = { - enable = true; - settings = { - PermitRootLogin = "no"; - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - }; - }; - - # Disable automatic suspend. - # Otherwise SSH tunnels and HDMI signals break. - services.logind = { - settings = { - Login = { - HandleLidSwitch = "ignore"; - HandleHibernateKey = "ignore"; - HandleSuspendKey = "ignore"; - HandlePowerKey = "ignore"; - }; - }; - }; - - virtualisation.docker = { - enable = true; - autoPrune = { - enable = true; - dates = "weekly"; - }; - rootless = { - enable = true; - setSocketVariable = true; - }; - }; -} diff --git a/hosts/crossbox/hardware-configuration.nix b/hosts/crossbox/hardware-configuration.nix deleted file mode 100644 index 8b1187f..0000000 --- a/hosts/crossbox/hardware-configuration.nix +++ /dev/null @@ -1,39 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usbhid" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/da4a61ca-f2f7-47d3-a902-a898e2cf1dfc"; - fsType = "ext4"; - }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/36FB-9CD5"; - fsType = "vfat"; - options = [ "fmask=0077" "dmask=0077" ]; - }; - - fileSystems."/data" = - { device = "/dev/disk/by-uuid/1e785349-ecd9-4b0f-9dc6-f6e3a6fe95f1"; - fsType = "ext4"; - options = [ "noatime" "users" "nofail" ]; - }; - - swapDevices = - [ { device = "/dev/disk/by-uuid/69fc5898-4a33-431e-bea6-3ce7352312bf"; } - ]; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/hosts/crossbox/llama-server.nix b/hosts/crossbox/llama-server.nix deleted file mode 100644 index ee47dbb..0000000 --- a/hosts/crossbox/llama-server.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ config, pkgs, lib, strix-halo-pkgs, ... }: - -{ - # Systemd service for llama-server with GLM-4.7-Flash - # Replaces Calvin's Docker-based setup - systemd.services.llama-server = { - description = "llama.cpp server (GLM-4.7-Flash)"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - environment = { - HSA_OVERRIDE_GFX_VERSION = "11.5.1"; - }; - - serviceConfig = { - # Source-built llamacpp with ROCm for gfx1151, tracks flake's llama-cpp input (b7984) - ExecStart = '' - ${strix-halo-pkgs.llamacpp-rocm-gfx1151}/bin/llama-server \ - -m /srv/llama/models/GLM-4.7-Flash-Q4_K_S.gguf \ - --fa \ - -c 16384 \ - --port 25566 \ - --host 0.0.0.0 \ - --jinja \ - --chat-template-file /srv/llama/templates/glminstruct.template - ''; - Restart = "on-failure"; - RestartSec = 5; - - # Run as a dedicated user - DynamicUser = true; - StateDirectory = "llama-server"; - - # Read-only access to model and template files - ReadOnlyPaths = [ "/srv/llama" ]; - }; - }; - - # Ensure directories exist - systemd.tmpfiles.rules = [ - "d /srv/llama 0755 root root -" - "d /srv/llama/models 0755 root root -" - "d /srv/llama/templates 0755 root root -" - ]; - - networking.firewall.allowedTCPPorts = [ 25566 ]; -} diff --git a/hosts/crossbox/rustdesk.nix b/hosts/crossbox/rustdesk.nix deleted file mode 100644 index 0e03483..0000000 --- a/hosts/crossbox/rustdesk.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - services.rustdesk-server = { - enable = true; - openFirewall = true; - }; -} \ No newline at end of file diff --git a/hosts/crossbox/nginx.nix b/nginx.nix similarity index 57% rename from hosts/crossbox/nginx.nix rename to nginx.nix index 2218292..58f2af7 100644 --- a/hosts/crossbox/nginx.nix +++ b/nginx.nix @@ -1,10 +1,21 @@ { config, pkgs, lib, ... }: let - # NOTE: API keys will be loaded from /srv/nginx/secrets at runtime - # This file should contain one Bearer token per line - # The secrets file is read at runtime via include directive instead of build time - # to avoid flake purity issues + # Read multiple API keys from the secrets file at build time + # Note: This embeds the secrets in the Nix store, which is a trade-off + # Alternative: Keep secrets file and read via njs module or external auth service + secretsFile = "/srv/nginx/secrets"; + + # Read API keys from file (one key per line, will be evaluated at build time) + # If the file doesn't exist yet, this will fail - create it first + apiKeysRaw = builtins.readFile secretsFile; + apiKeys = lib.filter (k: k != "") (lib.splitString "\n" apiKeysRaw); + + # Generate map entries for each key + mapEntries = lib.concatMapStringsSep "\n " + (key: ''"Bearer ${key}" "authorized";'') + apiKeys; + in { services.nginx = { @@ -20,15 +31,12 @@ in mapHashBucketSize = 128; # Map directive to check Authorization header against multiple keys - # Keys are loaded from /srv/nginx/secrets.map at runtime appendHttpConfig = '' # Check if the Authorization header matches any expected value map $http_authorization $auth_status { default "unauthorized"; "" "no_auth"; - # Tokens loaded from file to keep secrets out of the nix store - # Format: "Bearer YOUR_TOKEN_HERE" "authorized"; - include /srv/nginx/secrets.map; + ${mapEntries} } ''; @@ -58,7 +66,7 @@ in locations."/blog/private/" = { extraConfig = '' auth_basic "Private Articles"; - auth_basic_user_file "/srv/nginx/.htpasswd"; + auth_basic_user_file /srv/nginx/.htpasswd; # Enable Server Side Includes ssi on; @@ -91,16 +99,11 @@ in # Proxy to Ollama (only if authorized) proxy_pass http://localhost:11434; - proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Connection ""; - - # Disable buffering for streaming (SSE) responses - proxy_buffering off; - + # Timeouts for long-running requests proxy_read_timeout 300s; proxy_connect_timeout 300s; @@ -116,59 +119,13 @@ in }; }; - # LM Studio with Bearer token authentication - # Proxies https://lmstudio.binning.net/v1 to http://localhost:1234/v1. - "lmstudio.binning.net" = { - forceSSL = true; - - sslCertificate = "/srv/nginx/binning.net.pem"; - sslCertificateKey = "/srv/nginx/binning.net.key.pem"; - - locations."/" = { - extraConfig = '' - # Check auth status - if ($auth_status = "no_auth") { - return 401 "Unauthorized: Bearer token required\n"; - } - if ($auth_status = "unauthorized") { - return 403 "Forbidden: Invalid API key\n"; - } - - # Proxy to LM Studio (running on port 1234) - # Note: The trailing slash is important - it preserves the /v1 path - proxy_pass http://localhost:1234/; - proxy_http_version 1.1; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Connection ""; - - # Disable buffering for streaming (SSE) responses - proxy_buffering off; - - # Timeouts for long-running requests - proxy_read_timeout 300s; - proxy_connect_timeout 300s; - proxy_send_timeout 300s; - - # Allow large request bodies - client_max_body_size 100M; - - # Logging - access_log /var/log/nginx/lmstudio_access.log; - error_log /var/log/nginx/lmstudio_error.log; - ''; - }; - }; - # Forgejo "forgejo.binning.net" = { forceSSL = true; #enableACME = true; - sslCertificate = "/srv/nginx/binning.net.pem"; - sslCertificateKey = "/srv/nginx/binning.net.key.pem"; + sslCertificate = "/srv/nginx/binning.net.pem"; + sslCertificateKey = "/srv/nginx/binning.net.key.pem"; locations."/" = { proxyPass = "http://127.0.0.1:3000"; @@ -181,8 +138,8 @@ in forceSSL = true; #enableACME = true; - sslCertificate = "/srv/nginx/binning.net.pem"; - sslCertificateKey = "/srv/nginx/binning.net.key.pem"; + sslCertificate = "/srv/nginx/binning.net.pem"; + sslCertificateKey = "/srv/nginx/binning.net.key.pem"; locations."/" = { proxyPass = "http://127.0.0.1:5232"; @@ -206,37 +163,6 @@ in proxyWebsockets = true; }; }; - - # ComfyUI with HTTP basic authentication - "comfyui.binning.net" = { - forceSSL = true; - - sslCertificate = "/srv/nginx/binning.net.pem"; - sslCertificateKey = "/srv/nginx/binning.net.key.pem"; - - locations."/" = { - proxyPass = "http://127.0.0.1:8188"; - proxyWebsockets = true; - extraConfig = '' - auth_basic "ComfyUI"; - auth_basic_user_file "/srv/nginx/.htpasswd"; - ''; - }; - }; - - # RustDesk - "rustdesk.binning.net" = { - forceSSL = true; - - #enableACME = true; - sslCertificate = "/srv/nginx/binning.net.pem"; - sslCertificateKey = "/srv/nginx/binning.net.key.pem"; - - locations."/" = { - proxyPass = "http://127.0.0.1:16484"; - proxyWebsockets = true; - }; - }; }; }; diff --git a/hosts/crossbox/ollama.nix b/ollama.nix similarity index 60% rename from hosts/crossbox/ollama.nix rename to ollama.nix index dc561e3..9f40eee 100644 --- a/hosts/crossbox/ollama.nix +++ b/ollama.nix @@ -16,9 +16,7 @@ ]; # Add CA certificate for Ollama - # Note: Path must be accessible at runtime, not build time - # You can copy the cert to /etc/nixos/ and reference it, or use a string path - # security.pki.certificateFiles = [ - # "/home/brimlock/ollama-ca.crt" - # ]; + security.pki.certificateFiles = [ + /home/brimlock/ollama-ca.crt + ]; } diff --git a/hosts/crossbox/radicale.nix b/radicale.nix similarity index 100% rename from hosts/crossbox/radicale.nix rename to radicale.nix