From c20fd46f9f6c3c4e4639ff79f1b4be2d5cfb984a Mon Sep 17 00:00:00 2001 From: "matthew.binning" Date: Tue, 10 Feb 2026 06:10:33 -0800 Subject: [PATCH 01/10] feat: Get ROCm working with flake --- .gitignore | 3 +++ configuration.nix | 7 ++++--- crossbox.nix | 30 ++++++++++++++++++++++++++++-- flake.nix | 23 +++++++++++++++++++++++ nginx.nix | 27 ++++++++++----------------- ollama.nix | 8 +++++--- 6 files changed, 73 insertions(+), 25 deletions(-) create mode 100644 flake.nix diff --git a/.gitignore b/.gitignore index 3cb44c3..15d854b 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,6 @@ result-* # Ignore automatically generated direnv output .direnv +hardware-configuration.nix +comfy-ui.nix +*.bak diff --git a/configuration.nix b/configuration.nix index e2d4062..12c0dab 100644 --- a/configuration.nix +++ b/configuration.nix @@ -2,7 +2,8 @@ let hostConfigs = { - crossbox = [ ./crossbox.nix ./sdr.nix ./syncthing.nix ./forgejo.nix ./radicale.nix ./ollama.nix ./docuseal.nix ./nginx.nix ]; + crossbox = [ ./crossbox.nix ./sdr.nix ./syncthing.nix ./forgejo.nix ./radicale.nix ./ollama.nix #./docuseal.nix + ./nginx.nix ]; anvil = [ ./anvil.nix ./sdr.nix ./vpn.nix ./syncthing.nix ./staging.nginx.nix ]; }; in @@ -10,7 +11,7 @@ in imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix - ] ++ hostConfigs.anvil; + ] ++ hostConfigs.crossbox; nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.gc = { @@ -208,4 +209,4 @@ in systemd.targets.suspend.enable = false; systemd.targets.hibernate.enable = false; systemd.targets.hybrid-sleep.enable = false; -} \ No newline at end of file +} diff --git a/crossbox.nix b/crossbox.nix index 952e216..02d8592 100644 --- a/crossbox.nix +++ b/crossbox.nix @@ -1,9 +1,24 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: +let + # Using nixos-24.05 for bisq-desktop (last stable release with working bisq-desktop) + # bisq-desktop was removed after 24.05 due to OpenJFX EOL issues + bisqPkgs = import (builtins.fetchTarball { + url = "https://github.com/NixOS/nixpkgs/archive/nixos-24.05.tar.gz"; + sha256 = "0zydsqiaz8qi4zd63zsb2gij2p614cgkcaisnk11wjy3nmiq0x1s"; + }) { system = pkgs.system; }; +in { + environment.systemPackages = with pkgs; [ + bisqPkgs.bisq-desktop # v1.9.15-1.9.17 from nixos-24.05 + bisq2 + llamacpp-rocm-bin-gfx1151 + lmstudio + ]; + networking.hostName = "crossbox"; system.stateVersion = "25.11"; - networking.firewall.allowedTCPPorts = [ 22 ]; + networking.firewall.allowedTCPPorts = [ 22 1234 ]; services.pulseaudio.enable = false; hardware.graphics = { @@ -16,6 +31,17 @@ ]; }; + boot.kernelParams = [ "amdgpu.gttsize=115200" ]; + boot.kernelPackages = pkgs.linuxPackages_latest; + + # ROCm environment for gfx1151 (Strix Halo) + # gfx1151 lacks TensileLibrary support in most ROCm builds, + # so we override to gfx1100 which is close enough and has full library support. + # The strix-halo overlay's llamacpp binaries override this with 11.5.1 in their wrappers. + environment.variables = { + HSA_OVERRIDE_GFX_VERSION = "11.0.0"; + }; + # List services that you want to enable: services.openssh = { enable = true; diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..44638eb --- /dev/null +++ b/flake.nix @@ -0,0 +1,23 @@ +# /etc/nixos/flake.nix +{ + description = "Framework Desktop with Strix Halo"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + strix-halo.url = "github:hellas-ai/nix-strix-halo"; + }; + + outputs = { self, nixpkgs, strix-halo, ... }: { + nixosConfigurations.crossbox = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./configuration.nix + + ({ pkgs, ... }: { + # Apply Strix Halo overlay + nixpkgs.overlays = [ strix-halo.overlays.default ]; + }) + ]; + }; + }; +} \ No newline at end of file diff --git a/nginx.nix b/nginx.nix index 58f2af7..cb13132 100644 --- a/nginx.nix +++ b/nginx.nix @@ -1,21 +1,10 @@ { config, pkgs, lib, ... }: let - # Read multiple API keys from the secrets file at build time - # Note: This embeds the secrets in the Nix store, which is a trade-off - # Alternative: Keep secrets file and read via njs module or external auth service - secretsFile = "/srv/nginx/secrets"; - - # Read API keys from file (one key per line, will be evaluated at build time) - # If the file doesn't exist yet, this will fail - create it first - apiKeysRaw = builtins.readFile secretsFile; - apiKeys = lib.filter (k: k != "") (lib.splitString "\n" apiKeysRaw); - - # Generate map entries for each key - mapEntries = lib.concatMapStringsSep "\n " - (key: ''"Bearer ${key}" "authorized";'') - apiKeys; - + # NOTE: API keys will be loaded from /srv/nginx/secrets at runtime + # This file should contain one Bearer token per line + # The secrets file is read at runtime via include directive instead of build time + # to avoid flake purity issues in { services.nginx = { @@ -31,12 +20,16 @@ in mapHashBucketSize = 128; # Map directive to check Authorization header against multiple keys + # Keys are loaded from /srv/nginx/secrets.map at runtime appendHttpConfig = '' # Check if the Authorization header matches any expected value map $http_authorization $auth_status { default "unauthorized"; "" "no_auth"; - ${mapEntries} + # Add your Bearer tokens here manually, or use include directive + # Format: "Bearer YOUR_TOKEN_HERE" "authorized"; + # You can also create /srv/nginx/secrets.map and include it: + # include /srv/nginx/secrets.map; } ''; @@ -66,7 +59,7 @@ in locations."/blog/private/" = { extraConfig = '' auth_basic "Private Articles"; - auth_basic_user_file /srv/nginx/.htpasswd; + auth_basic_user_file "/srv/nginx/.htpasswd"; # Enable Server Side Includes ssi on; diff --git a/ollama.nix b/ollama.nix index 9f40eee..dc561e3 100644 --- a/ollama.nix +++ b/ollama.nix @@ -16,7 +16,9 @@ ]; # Add CA certificate for Ollama - security.pki.certificateFiles = [ - /home/brimlock/ollama-ca.crt - ]; + # Note: Path must be accessible at runtime, not build time + # You can copy the cert to /etc/nixos/ and reference it, or use a string path + # security.pki.certificateFiles = [ + # "/home/brimlock/ollama-ca.crt" + # ]; } From b717ea973afe28766754d8b4176bae1f72339406 Mon Sep 17 00:00:00 2001 From: "matthew.binning" Date: Wed, 11 Feb 2026 05:13:20 -0800 Subject: [PATCH 02/10] feat: Convert to a multi-host flake --- .gitignore | 1 - configuration.nix | 11 - flake.lock | 314 ++++++++++++++++++++ flake.nix | 37 ++- anvil.nix => hosts/anvil/default.nix | 7 +- hosts/anvil/hardware-configuration.nix | 20 ++ hosts/anvil/nginx.nix | 5 + crossbox.nix => hosts/crossbox/default.nix | 9 + docuseal.nix => hosts/crossbox/docuseal.nix | 0 forgejo.nix => hosts/crossbox/forgejo.nix | 0 hosts/crossbox/hardware-configuration.nix | 39 +++ nginx.nix => hosts/crossbox/nginx.nix | 0 ollama.nix => hosts/crossbox/ollama.nix | 0 radicale.nix => hosts/crossbox/radicale.nix | 0 14 files changed, 416 insertions(+), 27 deletions(-) create mode 100644 flake.lock rename anvil.nix => hosts/anvil/default.nix (78%) create mode 100644 hosts/anvil/hardware-configuration.nix create mode 100644 hosts/anvil/nginx.nix rename crossbox.nix => hosts/crossbox/default.nix (93%) rename docuseal.nix => hosts/crossbox/docuseal.nix (100%) rename forgejo.nix => hosts/crossbox/forgejo.nix (100%) create mode 100644 hosts/crossbox/hardware-configuration.nix rename nginx.nix => hosts/crossbox/nginx.nix (100%) rename ollama.nix => hosts/crossbox/ollama.nix (100%) rename radicale.nix => hosts/crossbox/radicale.nix (100%) diff --git a/.gitignore b/.gitignore index 15d854b..fd03719 100644 --- a/.gitignore +++ b/.gitignore @@ -6,6 +6,5 @@ result-* # Ignore automatically generated direnv output .direnv -hardware-configuration.nix comfy-ui.nix *.bak diff --git a/configuration.nix b/configuration.nix index 12c0dab..b1f11bb 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,17 +1,6 @@ { config, pkgs, ... }: -let - hostConfigs = { - crossbox = [ ./crossbox.nix ./sdr.nix ./syncthing.nix ./forgejo.nix ./radicale.nix ./ollama.nix #./docuseal.nix - ./nginx.nix ]; - anvil = [ ./anvil.nix ./sdr.nix ./vpn.nix ./syncthing.nix ./staging.nginx.nix ]; - }; -in { - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ] ++ hostConfigs.crossbox; nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.gc = { diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..a63e9a0 --- /dev/null +++ b/flake.lock @@ -0,0 +1,314 @@ +{ + "nodes": { + "chaotic": { + "inputs": { + "flake-schemas": "flake-schemas", + "home-manager": "home-manager", + "jovian": "jovian", + "nixpkgs": "nixpkgs_2", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1754907869, + "narHash": "sha256-tzshAAjt0xDjCc/aOgii6PSqePIc2rWYSXF8VnqEhIg=", + "owner": "chaotic-cx", + "repo": "nyx", + "rev": "b5f83e0d7bce67af178f6aaef95853fedf4c00a0", + "type": "github" + }, + "original": { + "owner": "chaotic-cx", + "ref": "nyxpkgs-unstable", + "repo": "nyx", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "strix-halo", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1754971456, + "narHash": "sha256-p04ZnIBGzerSyiY2dNGmookCldhldWAu03y0s3P8CB0=", + "owner": "nix-community", + "repo": "disko", + "rev": "8246829f2e675a46919718f9a64b71afe3bfb22d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "ec-su-axb35": { + "flake": false, + "locked": { + "lastModified": 1752926484, + "narHash": "sha256-CKMoltjRCvfKF7tJvP+wvwiuy2EpTP3vGbs875ey/7M=", + "owner": "cmetz", + "repo": "ec-su_axb35-linux", + "rev": "1761092d215322a62dee19afab7b4765788611eb", + "type": "github" + }, + "original": { + "owner": "cmetz", + "repo": "ec-su_axb35-linux", + "type": "github" + } + }, + "flake-schemas": { + "locked": { + "lastModified": 1721999734, + "narHash": "sha256-G5CxYeJVm4lcEtaO87LKzOsVnWeTcHGKbKxNamNWgOw=", + "rev": "0a5c42297d870156d9c57d8f99e476b738dcd982", + "revCount": 75, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/flake-schemas/0.1.5/0190ef2f-61e0-794b-ba14-e82f225e55e6/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/DeterminateSystems/flake-schemas/%3D0.1.5.tar.gz" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "strix-halo", + "chaotic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1754886238, + "narHash": "sha256-LTQomWOwG70lZR+78ZYSZ9sYELWNq3HJ7/tdHzfif/s=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "0d492b89d1993579e63b9dbdaed17fd7824834da", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "jovian": { + "inputs": { + "nix-github-actions": "nix-github-actions", + "nixpkgs": [ + "strix-halo", + "chaotic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1754639028, + "narHash": "sha256-w1+XzPBAZPbeGLMAgAlOjIquswo6Q42PMep9KSrRzOA=", + "owner": "Jovian-Experiments", + "repo": "Jovian-NixOS", + "rev": "d49809278138d17be77ab0ef5506b26dc477fa62", + "type": "github" + }, + "original": { + "owner": "Jovian-Experiments", + "repo": "Jovian-NixOS", + "type": "github" + } + }, + "llama-cpp": { + "flake": false, + "locked": { + "lastModified": 1755068833, + "narHash": "sha256-U2bNRei5Q+fpMmk0Oc2HVSIY6KSBhgcNNkNhGykpG2c=", + "owner": "ggerganov", + "repo": "llama.cpp", + "rev": "bc5182272c373267352bc689e5fca276934bea2d", + "type": "github" + }, + "original": { + "owner": "ggerganov", + "repo": "llama.cpp", + "type": "github" + } + }, + "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "strix-halo", + "chaotic", + "jovian", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729697500, + "narHash": "sha256-VFTWrbzDlZyFHHb1AlKRiD/qqCJIripXKiCSFS8fAOY=", + "owner": "zhaofengli", + "repo": "nix-github-actions", + "rev": "e418aeb728b6aa5ca8c5c71974e7159c2df1d8cf", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "ref": "matrix-name", + "repo": "nix-github-actions", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1770562336, + "narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d6c71932130818840fc8fe9509cf50be8c64634f", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1754725699, + "narHash": "sha256-iAcj9T/Y+3DBy2J0N+yF9XQQQ8IEb5swLFzs23CdP88=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "85dbfc7aaf52ecb755f87e577ddbe6dbbdbc1054", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1754725699, + "narHash": "sha256-iAcj9T/Y+3DBy2J0N+yF9XQQQ8IEb5swLFzs23CdP88=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "85dbfc7aaf52ecb755f87e577ddbe6dbbdbc1054", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "rocwmma": { + "flake": false, + "locked": { + "lastModified": 1755039337, + "narHash": "sha256-qs6SFRRQHDJjja5GM91y0q5VpX/qzrtcGqdPN4FJMWI=", + "owner": "ROCm", + "repo": "rocWMMA", + "rev": "697624de0919f62f0f42bb237dd45d0296fc2c1a", + "type": "github" + }, + "original": { + "owner": "ROCm", + "repo": "rocWMMA", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs", + "strix-halo": "strix-halo" + } + }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "strix-halo", + "chaotic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1754880555, + "narHash": "sha256-tG6l0wiX8V8IvG4HFYY8IYN5vpNAxQ+UWunjjpE6SqU=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "17c591a44e4eb77f05f27cd37e1cfc3f219c7fc4", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "strix-halo": { + "inputs": { + "chaotic": "chaotic", + "disko": "disko", + "ec-su-axb35": "ec-su-axb35", + "flake-utils": "flake-utils", + "llama-cpp": "llama-cpp", + "nixpkgs": "nixpkgs_3", + "rocwmma": "rocwmma" + }, + "locked": { + "lastModified": 1766179824, + "narHash": "sha256-11kC3d0GrpodpZ8yVJFsgNjdUlw99yvAa9Q2LOHtQWw=", + "owner": "hellas-ai", + "repo": "nix-strix-halo", + "rev": "3d090ab99f3b86b33f10c30c283225fbf4f16628", + "type": "github" + }, + "original": { + "owner": "hellas-ai", + "repo": "nix-strix-halo", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix index 44638eb..9ccf9e4 100644 --- a/flake.nix +++ b/flake.nix @@ -1,23 +1,32 @@ -# /etc/nixos/flake.nix { - description = "Framework Desktop with Strix Halo"; + description = "NixOS configurations for crossbox and anvil"; inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; strix-halo.url = "github:hellas-ai/nix-strix-halo"; }; - outputs = { self, nixpkgs, strix-halo, ... }: { - nixosConfigurations.crossbox = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - ./configuration.nix - - ({ pkgs, ... }: { - # Apply Strix Halo overlay - nixpkgs.overlays = [ strix-halo.overlays.default ]; - }) - ]; + outputs = { self, nixpkgs, strix-halo, ... }: + let + mkHost = { hostDir, extraModules ? [], overlays ? [] }: + nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./configuration.nix + hostDir + ({ ... }: { nixpkgs.overlays = overlays; }) + ] ++ extraModules; + }; + in { + nixosConfigurations.crossbox = mkHost { + hostDir = ./hosts/crossbox; + overlays = [ strix-halo.overlays.default ]; + extraModules = [ ./sdr.nix ./syncthing.nix ]; + }; + + nixosConfigurations.anvil = mkHost { + hostDir = ./hosts/anvil; + extraModules = [ ./sdr.nix ./syncthing.nix ]; }; }; -} \ No newline at end of file +} diff --git a/anvil.nix b/hosts/anvil/default.nix similarity index 78% rename from anvil.nix rename to hosts/anvil/default.nix index 7b718ef..ab180b1 100644 --- a/anvil.nix +++ b/hosts/anvil/default.nix @@ -1,10 +1,15 @@ { config, pkgs, ... }: { + imports = [ + ./hardware-configuration.nix + # ./nginx.nix # TODO + ]; + networking.hostName = "anvil"; system.stateVersion = "24.11"; networking.firewall.allowedTCPPorts = [ 8384 ]; - hardware.pulseaudio.enable = false; + services.pulseaudio.enable = false; boot.initrd.luks.devices."luks-1f261d60-dfb4-4f63-9c77-f331a007108b".device = "/dev/disk/by-uuid/1f261d60-dfb4-4f63-9c77-f331a007108b"; diff --git a/hosts/anvil/hardware-configuration.nix b/hosts/anvil/hardware-configuration.nix new file mode 100644 index 0000000..661efab --- /dev/null +++ b/hosts/anvil/hardware-configuration.nix @@ -0,0 +1,20 @@ +# TODO: Replace with actual hardware-configuration.nix from anvil machine +# Run on anvil: nixos-generate-config --show-hardware-config +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + # Placeholder filesystem - replace with actual values from anvil + fileSystems."/" = { + device = "/dev/disk/by-uuid/PLACEHOLDER"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/PLACEHOLDER"; + fsType = "vfat"; + }; +} diff --git a/hosts/anvil/nginx.nix b/hosts/anvil/nginx.nix new file mode 100644 index 0000000..ea17920 --- /dev/null +++ b/hosts/anvil/nginx.nix @@ -0,0 +1,5 @@ +# TODO: Configure anvil's nginx +{ config, pkgs, lib, ... }: + +{ +} diff --git a/crossbox.nix b/hosts/crossbox/default.nix similarity index 93% rename from crossbox.nix rename to hosts/crossbox/default.nix index 02d8592..3811cd4 100644 --- a/crossbox.nix +++ b/hosts/crossbox/default.nix @@ -9,6 +9,15 @@ let }) { system = pkgs.system; }; in { + imports = [ + ./hardware-configuration.nix + ./nginx.nix + ./forgejo.nix + ./radicale.nix + ./ollama.nix + # ./docuseal.nix + ]; + environment.systemPackages = with pkgs; [ bisqPkgs.bisq-desktop # v1.9.15-1.9.17 from nixos-24.05 bisq2 diff --git a/docuseal.nix b/hosts/crossbox/docuseal.nix similarity index 100% rename from docuseal.nix rename to hosts/crossbox/docuseal.nix diff --git a/forgejo.nix b/hosts/crossbox/forgejo.nix similarity index 100% rename from forgejo.nix rename to hosts/crossbox/forgejo.nix diff --git a/hosts/crossbox/hardware-configuration.nix b/hosts/crossbox/hardware-configuration.nix new file mode 100644 index 0000000..8b1187f --- /dev/null +++ b/hosts/crossbox/hardware-configuration.nix @@ -0,0 +1,39 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usbhid" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/da4a61ca-f2f7-47d3-a902-a898e2cf1dfc"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/36FB-9CD5"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + + fileSystems."/data" = + { device = "/dev/disk/by-uuid/1e785349-ecd9-4b0f-9dc6-f6e3a6fe95f1"; + fsType = "ext4"; + options = [ "noatime" "users" "nofail" ]; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/69fc5898-4a33-431e-bea6-3ce7352312bf"; } + ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/nginx.nix b/hosts/crossbox/nginx.nix similarity index 100% rename from nginx.nix rename to hosts/crossbox/nginx.nix diff --git a/ollama.nix b/hosts/crossbox/ollama.nix similarity index 100% rename from ollama.nix rename to hosts/crossbox/ollama.nix diff --git a/radicale.nix b/hosts/crossbox/radicale.nix similarity index 100% rename from radicale.nix rename to hosts/crossbox/radicale.nix From cfd3aeecaff6de3d6eeae0410c7e3d3948a429d4 Mon Sep 17 00:00:00 2001 From: "matthew.binning" Date: Wed, 11 Feb 2026 06:30:34 -0800 Subject: [PATCH 03/10] feat: Prepare for llama-server when ROCm is fixed upstream --- flake.lock | 7 ++--- flake.nix | 7 ++++- hosts/crossbox/default.nix | 6 +++-- hosts/crossbox/llama-server.nix | 47 +++++++++++++++++++++++++++++++++ 4 files changed, 61 insertions(+), 6 deletions(-) create mode 100644 hosts/crossbox/llama-server.nix diff --git a/flake.lock b/flake.lock index a63e9a0..7b4da1a 100644 --- a/flake.lock +++ b/flake.lock @@ -140,15 +140,16 @@ "llama-cpp": { "flake": false, "locked": { - "lastModified": 1755068833, - "narHash": "sha256-U2bNRei5Q+fpMmk0Oc2HVSIY6KSBhgcNNkNhGykpG2c=", + "lastModified": 1770704370, + "narHash": "sha256-atYUuXBZFbJxmswd694YwHfAWj1NClZ6mXiQbP1ABG8=", "owner": "ggerganov", "repo": "llama.cpp", - "rev": "bc5182272c373267352bc689e5fca276934bea2d", + "rev": "f0bfe54f552f4783588f333b90d73920a57c5096", "type": "github" }, "original": { "owner": "ggerganov", + "ref": "b7984", "repo": "llama.cpp", "type": "github" } diff --git a/flake.nix b/flake.nix index 9ccf9e4..2f675bc 100644 --- a/flake.nix +++ b/flake.nix @@ -4,13 +4,15 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; strix-halo.url = "github:hellas-ai/nix-strix-halo"; + strix-halo.inputs.llama-cpp.url = "github:ggerganov/llama.cpp/b7984"; }; outputs = { self, nixpkgs, strix-halo, ... }: let - mkHost = { hostDir, extraModules ? [], overlays ? [] }: + mkHost = { hostDir, extraModules ? [], overlays ? [], extraSpecialArgs ? {} }: nixpkgs.lib.nixosSystem { system = "x86_64-linux"; + specialArgs = extraSpecialArgs; modules = [ ./configuration.nix hostDir @@ -22,6 +24,9 @@ hostDir = ./hosts/crossbox; overlays = [ strix-halo.overlays.default ]; extraModules = [ ./sdr.nix ./syncthing.nix ]; + extraSpecialArgs = { + strix-halo-pkgs = strix-halo.packages.x86_64-linux; + }; }; nixosConfigurations.anvil = mkHost { diff --git a/hosts/crossbox/default.nix b/hosts/crossbox/default.nix index 3811cd4..b8202c8 100644 --- a/hosts/crossbox/default.nix +++ b/hosts/crossbox/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, lib, strix-halo-pkgs, ... }: let # Using nixos-24.05 for bisq-desktop (last stable release with working bisq-desktop) @@ -15,13 +15,15 @@ in ./forgejo.nix ./radicale.nix ./ollama.nix + # ./llama-server.nix # disabled: source build broken (LLVM 22 vs 19 mismatch in strix-halo overlay) # ./docuseal.nix ]; environment.systemPackages = with pkgs; [ bisqPkgs.bisq-desktop # v1.9.15-1.9.17 from nixos-24.05 bisq2 - llamacpp-rocm-bin-gfx1151 + llamacpp-rocm-bin-gfx1151 # prebuilt b1025; source build broken (LLVM mismatch) + # strix-halo-pkgs.llamacpp-rocm-gfx1151 # source-built, re-enable when overlay fixes LLVM 22/19 mismatch lmstudio ]; diff --git a/hosts/crossbox/llama-server.nix b/hosts/crossbox/llama-server.nix new file mode 100644 index 0000000..ee47dbb --- /dev/null +++ b/hosts/crossbox/llama-server.nix @@ -0,0 +1,47 @@ +{ config, pkgs, lib, strix-halo-pkgs, ... }: + +{ + # Systemd service for llama-server with GLM-4.7-Flash + # Replaces Calvin's Docker-based setup + systemd.services.llama-server = { + description = "llama.cpp server (GLM-4.7-Flash)"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + environment = { + HSA_OVERRIDE_GFX_VERSION = "11.5.1"; + }; + + serviceConfig = { + # Source-built llamacpp with ROCm for gfx1151, tracks flake's llama-cpp input (b7984) + ExecStart = '' + ${strix-halo-pkgs.llamacpp-rocm-gfx1151}/bin/llama-server \ + -m /srv/llama/models/GLM-4.7-Flash-Q4_K_S.gguf \ + --fa \ + -c 16384 \ + --port 25566 \ + --host 0.0.0.0 \ + --jinja \ + --chat-template-file /srv/llama/templates/glminstruct.template + ''; + Restart = "on-failure"; + RestartSec = 5; + + # Run as a dedicated user + DynamicUser = true; + StateDirectory = "llama-server"; + + # Read-only access to model and template files + ReadOnlyPaths = [ "/srv/llama" ]; + }; + }; + + # Ensure directories exist + systemd.tmpfiles.rules = [ + "d /srv/llama 0755 root root -" + "d /srv/llama/models 0755 root root -" + "d /srv/llama/templates 0755 root root -" + ]; + + networking.firewall.allowedTCPPorts = [ 25566 ]; +} From 4bad65bdac4a79f579342680d546216c69615b78 Mon Sep 17 00:00:00 2001 From: "matthew.binning" Date: Thu, 12 Feb 2026 07:30:05 -0800 Subject: [PATCH 04/10] feat: Add lmstudio to reverse proxy --- hosts/crossbox/nginx.nix | 51 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 50 insertions(+), 1 deletion(-) diff --git a/hosts/crossbox/nginx.nix b/hosts/crossbox/nginx.nix index cb13132..1fbcfa4 100644 --- a/hosts/crossbox/nginx.nix +++ b/hosts/crossbox/nginx.nix @@ -92,11 +92,16 @@ in # Proxy to Ollama (only if authorized) proxy_pass http://localhost:11434; + proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - + proxy_set_header Connection ""; + + # Disable buffering for streaming (SSE) responses + proxy_buffering off; + # Timeouts for long-running requests proxy_read_timeout 300s; proxy_connect_timeout 300s; @@ -112,6 +117,50 @@ in }; }; + # LM Studio with Bearer token authentication + "lmstudio.binning.net" = { + forceSSL = true; + + sslCertificate = "/srv/nginx/binning.net.pem"; + sslCertificateKey = "/srv/nginx/binning.net.key.pem"; + + locations."/" = { + extraConfig = '' + # Check auth status + if ($auth_status = "no_auth") { + return 401 "Unauthorized: Bearer token required\n"; + } + if ($auth_status = "unauthorized") { + return 403 "Forbidden: Invalid API key\n"; + } + + # Proxy to LM Studio + proxy_pass http://localhost:1234; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Connection ""; + + # Disable buffering for streaming (SSE) responses + proxy_buffering off; + + # Timeouts for long-running requests + proxy_read_timeout 300s; + proxy_connect_timeout 300s; + proxy_send_timeout 300s; + + # Allow large request bodies + client_max_body_size 100M; + + # Logging + access_log /var/log/nginx/lmstudio_access.log; + error_log /var/log/nginx/lmstudio_error.log; + ''; + }; + }; + # Forgejo "forgejo.binning.net" = { forceSSL = true; From 651cc2be63d829447bf2fae3f877c9e0663e817d Mon Sep 17 00:00:00 2001 From: "matthew.binning" Date: Thu, 12 Feb 2026 07:47:52 -0800 Subject: [PATCH 05/10] Reenable API key file --- hosts/crossbox/nginx.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/hosts/crossbox/nginx.nix b/hosts/crossbox/nginx.nix index 1fbcfa4..2e2bcf7 100644 --- a/hosts/crossbox/nginx.nix +++ b/hosts/crossbox/nginx.nix @@ -26,10 +26,9 @@ in map $http_authorization $auth_status { default "unauthorized"; "" "no_auth"; - # Add your Bearer tokens here manually, or use include directive + # Tokens loaded from file to keep secrets out of the nix store # Format: "Bearer YOUR_TOKEN_HERE" "authorized"; - # You can also create /srv/nginx/secrets.map and include it: - # include /srv/nginx/secrets.map; + include /srv/nginx/secrets.map; } ''; From 0a9981870dfb23067ea66c1986eb55d691743f78 Mon Sep 17 00:00:00 2001 From: "matthew.binning" Date: Fri, 13 Feb 2026 08:01:23 -0800 Subject: [PATCH 06/10] Add RustDesk service and nginx configuration --- hosts/crossbox/default.nix | 1 + hosts/crossbox/nginx.nix | 32 ++++++++++++++++++++++++-------- hosts/crossbox/rustdesk.nix | 24 ++++++++++++++++++++++++ 3 files changed, 49 insertions(+), 8 deletions(-) create mode 100644 hosts/crossbox/rustdesk.nix diff --git a/hosts/crossbox/default.nix b/hosts/crossbox/default.nix index b8202c8..80ef65d 100644 --- a/hosts/crossbox/default.nix +++ b/hosts/crossbox/default.nix @@ -15,6 +15,7 @@ in ./forgejo.nix ./radicale.nix ./ollama.nix + ./rustdesk.nix # ./llama-server.nix # disabled: source build broken (LLVM 22 vs 19 mismatch in strix-halo overlay) # ./docuseal.nix ]; diff --git a/hosts/crossbox/nginx.nix b/hosts/crossbox/nginx.nix index 2e2bcf7..efc76a2 100644 --- a/hosts/crossbox/nginx.nix +++ b/hosts/crossbox/nginx.nix @@ -117,11 +117,12 @@ in }; # LM Studio with Bearer token authentication + # Proxies https://lmstudio.binning.net/v1 to http://localhost:1234/v1. "lmstudio.binning.net" = { forceSSL = true; - sslCertificate = "/srv/nginx/binning.net.pem"; - sslCertificateKey = "/srv/nginx/binning.net.key.pem"; + sslCertificate = "/srv/nginx/binning.net.pem"; + sslCertificateKey = "/srv/nginx/binning.net.key.pem"; locations."/" = { extraConfig = '' @@ -133,8 +134,9 @@ in return 403 "Forbidden: Invalid API key\n"; } - # Proxy to LM Studio - proxy_pass http://localhost:1234; + # Proxy to LM Studio (running on port 1234) + # Note: The trailing slash is important - it preserves the /v1 path + proxy_pass http://localhost:1234/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; @@ -165,8 +167,8 @@ in forceSSL = true; #enableACME = true; - sslCertificate = "/srv/nginx/binning.net.pem"; - sslCertificateKey = "/srv/nginx/binning.net.key.pem"; + sslCertificate = "/srv/nginx/binning.net.pem"; + sslCertificateKey = "/srv/nginx/binning.net.key.pem"; locations."/" = { proxyPass = "http://127.0.0.1:3000"; @@ -179,8 +181,8 @@ in forceSSL = true; #enableACME = true; - sslCertificate = "/srv/nginx/binning.net.pem"; - sslCertificateKey = "/srv/nginx/binning.net.key.pem"; + sslCertificate = "/srv/nginx/binning.net.pem"; + sslCertificateKey = "/srv/nginx/binning.net.key.pem"; locations."/" = { proxyPass = "http://127.0.0.1:5232"; @@ -204,6 +206,20 @@ in proxyWebsockets = true; }; }; + + # RustDesk + "rustdesk.binning.net" = { + forceSSL = true; + + #enableACME = true; + sslCertificate = "/srv/nginx/binning.net.pem"; + sslCertificateKey = "/srv/nginx/binning.net.key.pem"; + + locations."/" = { + proxyPass = "http://127.0.0.1:16484"; + proxyWebsockets = true; + }; + }; }; }; diff --git a/hosts/crossbox/rustdesk.nix b/hosts/crossbox/rustdesk.nix new file mode 100644 index 0000000..8522369 --- /dev/null +++ b/hosts/crossbox/rustdesk.nix @@ -0,0 +1,24 @@ +{ config, pkgs, lib, ... }: + +{ + services.rustdesk = { + enable = true; + server = { + port = 16484; + # Optional: Set a password for the server + # password = "your-password"; + }; + client = { + # Optional: Set a password for the client + # password = "your-password"; + }; + }; + + # Open firewall port for RustDesk + networking.firewall.allowedTCPPorts = [ 16484 ]; + + # Install RustDesk + environment.systemPackages = with pkgs; [ + rustdesk + ]; +} \ No newline at end of file From 5aa1d4192fe3e2f6640352fed468c6460b5a15a2 Mon Sep 17 00:00:00 2001 From: "matthew.binning" Date: Fri, 13 Feb 2026 09:51:39 -0800 Subject: [PATCH 07/10] fix: Undirty flake build and comment out rustdesk --- hosts/crossbox/default.nix | 2 +- hosts/crossbox/rustdesk.nix | 20 ++------------------ 2 files changed, 3 insertions(+), 19 deletions(-) diff --git a/hosts/crossbox/default.nix b/hosts/crossbox/default.nix index 80ef65d..0dd69b4 100644 --- a/hosts/crossbox/default.nix +++ b/hosts/crossbox/default.nix @@ -15,7 +15,7 @@ in ./forgejo.nix ./radicale.nix ./ollama.nix - ./rustdesk.nix + #./rustdesk.nix # ./llama-server.nix # disabled: source build broken (LLVM 22 vs 19 mismatch in strix-halo overlay) # ./docuseal.nix ]; diff --git a/hosts/crossbox/rustdesk.nix b/hosts/crossbox/rustdesk.nix index 8522369..0e03483 100644 --- a/hosts/crossbox/rustdesk.nix +++ b/hosts/crossbox/rustdesk.nix @@ -1,24 +1,8 @@ { config, pkgs, lib, ... }: { - services.rustdesk = { + services.rustdesk-server = { enable = true; - server = { - port = 16484; - # Optional: Set a password for the server - # password = "your-password"; - }; - client = { - # Optional: Set a password for the client - # password = "your-password"; - }; + openFirewall = true; }; - - # Open firewall port for RustDesk - networking.firewall.allowedTCPPorts = [ 16484 ]; - - # Install RustDesk - environment.systemPackages = with pkgs; [ - rustdesk - ]; } \ No newline at end of file From 9328ca3717f616796ce9d4d4dfd7d9aa9de7654b Mon Sep 17 00:00:00 2001 From: "matthew.binning" Date: Mon, 16 Feb 2026 07:15:15 -0800 Subject: [PATCH 08/10] feat: Add comfy-ui with basic auth --- flake.lock | 79 +++++++++++++++++++++++++++++++++++--- flake.nix | 11 ++++-- hosts/crossbox/comfyui.nix | 9 +++++ hosts/crossbox/default.nix | 1 + hosts/crossbox/nginx.nix | 17 ++++++++ 5 files changed, 109 insertions(+), 8 deletions(-) create mode 100644 hosts/crossbox/comfyui.nix diff --git a/flake.lock b/flake.lock index 7b4da1a..6de247f 100644 --- a/flake.lock +++ b/flake.lock @@ -5,7 +5,7 @@ "flake-schemas": "flake-schemas", "home-manager": "home-manager", "jovian": "jovian", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "rust-overlay": "rust-overlay" }, "locked": { @@ -23,6 +23,25 @@ "type": "github" } }, + "comfyui-nix": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1770501766, + "narHash": "sha256-GWAsk06uDuLoKpvEcEP7h3PdWLhdJCxHM7C96s9X7UA=", + "owner": "utensils", + "repo": "comfyui-nix", + "rev": "dc0e4a2efc036092a98bb20503f827247f36f49a", + "type": "github" + }, + "original": { + "owner": "utensils", + "repo": "comfyui-nix", + "type": "github" + } + }, "disko": { "inputs": { "nixpkgs": [ @@ -60,6 +79,24 @@ "type": "github" } }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1767609335, + "narHash": "sha256-feveD98mQpptwrAEggBQKJTYbvwwglSbOv53uCfH9PY=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "250481aafeb741edfe23d29195671c19b36b6dca", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-schemas": { "locked": { "lastModified": 1721999734, @@ -179,6 +216,37 @@ } }, "nixpkgs": { + "locked": { + "lastModified": 1766902085, + "narHash": "sha256-coBu0ONtFzlwwVBzmjacUQwj3G+lybcZ1oeNSQkgC0M=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c0b0e0fddf73fd517c3471e546c0df87a42d53f4", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1765674936, + "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixpkgs_2": { "locked": { "lastModified": 1770562336, "narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=", @@ -194,7 +262,7 @@ "type": "github" } }, - "nixpkgs_2": { + "nixpkgs_3": { "locked": { "lastModified": 1754725699, "narHash": "sha256-iAcj9T/Y+3DBy2J0N+yF9XQQQ8IEb5swLFzs23CdP88=", @@ -210,7 +278,7 @@ "type": "github" } }, - "nixpkgs_3": { + "nixpkgs_4": { "locked": { "lastModified": 1754725699, "narHash": "sha256-iAcj9T/Y+3DBy2J0N+yF9XQQQ8IEb5swLFzs23CdP88=", @@ -244,7 +312,8 @@ }, "root": { "inputs": { - "nixpkgs": "nixpkgs", + "comfyui-nix": "comfyui-nix", + "nixpkgs": "nixpkgs_2", "strix-halo": "strix-halo" } }, @@ -277,7 +346,7 @@ "ec-su-axb35": "ec-su-axb35", "flake-utils": "flake-utils", "llama-cpp": "llama-cpp", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_4", "rocwmma": "rocwmma" }, "locked": { diff --git a/flake.nix b/flake.nix index 2f675bc..0e4a036 100644 --- a/flake.nix +++ b/flake.nix @@ -5,9 +5,10 @@ nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; strix-halo.url = "github:hellas-ai/nix-strix-halo"; strix-halo.inputs.llama-cpp.url = "github:ggerganov/llama.cpp/b7984"; + comfyui-nix.url = "github:utensils/comfyui-nix"; }; - outputs = { self, nixpkgs, strix-halo, ... }: + outputs = { self, nixpkgs, strix-halo, comfyui-nix, ... }: let mkHost = { hostDir, extraModules ? [], overlays ? [], extraSpecialArgs ? {} }: nixpkgs.lib.nixosSystem { @@ -22,8 +23,12 @@ in { nixosConfigurations.crossbox = mkHost { hostDir = ./hosts/crossbox; - overlays = [ strix-halo.overlays.default ]; - extraModules = [ ./sdr.nix ./syncthing.nix ]; + overlays = [ strix-halo.overlays.default comfyui-nix.overlays.default ]; + extraModules = [ + ./sdr.nix + ./syncthing.nix + comfyui-nix.nixosModules.default + ]; extraSpecialArgs = { strix-halo-pkgs = strix-halo.packages.x86_64-linux; }; diff --git a/hosts/crossbox/comfyui.nix b/hosts/crossbox/comfyui.nix new file mode 100644 index 0000000..22fb2ca --- /dev/null +++ b/hosts/crossbox/comfyui.nix @@ -0,0 +1,9 @@ +{ config, pkgs, lib, ... }: + +{ + services.comfyui = { + enable = true; + listenAddress = "127.0.0.1"; + port = 8188; + }; +} diff --git a/hosts/crossbox/default.nix b/hosts/crossbox/default.nix index 0dd69b4..56beb8b 100644 --- a/hosts/crossbox/default.nix +++ b/hosts/crossbox/default.nix @@ -15,6 +15,7 @@ in ./forgejo.nix ./radicale.nix ./ollama.nix + ./comfyui.nix #./rustdesk.nix # ./llama-server.nix # disabled: source build broken (LLVM 22 vs 19 mismatch in strix-halo overlay) # ./docuseal.nix diff --git a/hosts/crossbox/nginx.nix b/hosts/crossbox/nginx.nix index efc76a2..2218292 100644 --- a/hosts/crossbox/nginx.nix +++ b/hosts/crossbox/nginx.nix @@ -207,6 +207,23 @@ in }; }; + # ComfyUI with HTTP basic authentication + "comfyui.binning.net" = { + forceSSL = true; + + sslCertificate = "/srv/nginx/binning.net.pem"; + sslCertificateKey = "/srv/nginx/binning.net.key.pem"; + + locations."/" = { + proxyPass = "http://127.0.0.1:8188"; + proxyWebsockets = true; + extraConfig = '' + auth_basic "ComfyUI"; + auth_basic_user_file "/srv/nginx/.htpasswd"; + ''; + }; + }; + # RustDesk "rustdesk.binning.net" = { forceSSL = true; From 5389416a6cea4dfd855a351421ed8d2d74856818 Mon Sep 17 00:00:00 2001 From: "matthew.binning" Date: Sun, 1 Mar 2026 12:59:05 -0800 Subject: [PATCH 09/10] feat: Add Claude Code to system packages --- configuration.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/configuration.nix b/configuration.nix index b1f11bb..092ef72 100644 --- a/configuration.nix +++ b/configuration.nix @@ -12,6 +12,7 @@ environment.systemPackages = with pkgs; [ cargo chromium + claude-code curl docker-compose gcc @@ -32,7 +33,7 @@ rustc tldr vscodium - + # Hyprland essentials hyprpaper # Wallpaper daemon hypridle # Idle daemon From f4d38281e4d334093ebd87dabd07145a22b626da Mon Sep 17 00:00:00 2001 From: "matthew.binning" Date: Sun, 1 Mar 2026 16:35:17 -0800 Subject: [PATCH 10/10] feat: Add tor and tor-browser --- configuration.nix | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/configuration.nix b/configuration.nix index 092ef72..e108be3 100644 --- a/configuration.nix +++ b/configuration.nix @@ -32,6 +32,7 @@ rsync rustc tldr + tor # Tor anonymity network vscodium # Hyprland essentials @@ -135,20 +136,27 @@ brightnessctl # Brightness control pavucontrol # Audio control networkmanagerapplet # Network manager applet - + # File manager and utilities nautilus gnome-themes-extra - + # Additional tools libreoffice grub2_efi exfatprogs + tor-browser # Tor Browser ]; }; programs.firefox.enable = true; + # Enable Tor service + services.tor = { + enable = true; + client.enable = true; + }; + # Allow unfree packages nixpkgs.config.allowUnfree = true;