Fixed nvidia

server
2025-04-02 20:50:09 +02:00 · 2025-04-02 20:50:09 +02:00 · b284928062
commit b284928062
parent 8cdc5557f9
9 changed files with 341 additions and 19 deletions
--- a/nixos/hosts/kylekrein-homepc/default.nix
+++ b/nixos/hosts/kylekrein-homepc/default.nix
@ -1,4 +1,6 @@
 {
+  options,
+  config,
  pkgs,
  lib,
  hwconfig,
@ -6,6 +8,7 @@
  ...
 }: {
  imports = [
+    "${inputs.nixpkgs-unstable}/nixos/modules/services/matrix/conduwuit.nix"
    ../../hardware/nvidia

    ../../modules/hyprland
@ -21,7 +24,8 @@

    ../../users/tania
  ];
-
+options.services.conduwuit.settings.global.database_path = lib.mkOption { apply = old: "/persist/conduwuit/";};
+config = {
  sops.secrets."ssh_keys/${hwconfig.hostname}" = {};
  environment.systemPackages = with pkgs; [
    blender
@ -34,6 +38,7 @@
  };
  services.zerotierone = {
    enable = true;
+    port = 9994;
    joinNetworks = [
      "A84AC5C10AD269CA"
      "db64858fed285e0f"
@ -42,7 +47,7 @@
  #LLMs
  services.ollama = {
    enable = true;
-    loadModels = [ "deepseek-r1:32b" "deepseek-r1:8b" "qwq" "gemma3:27b"];
+    loadModels = [ "deepseek-r1:32b" "qwq" "gemma3:27b"];
    acceleration = "cuda";
    home = "/persist/ollama";
    user = "ollama";
@ -67,31 +72,92 @@
  systemd.services.open-webui.serviceConfig.DynamicUser = lib.mkForce false;

  #Chat host
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.allowedTCPPorts = [ 80 443 22 8448 9993 ] ++ [ config.services.zerotierone.port ];
+  networking.firewall.allowedUDPPorts = [config.services.zerotierone.port];
  security.acme = {
    acceptTerms = true;
    defaults.email = "alex.lebedev2003@icloud.com";
+    certs = {
+        "kylekrein.com" = {
+            webroot = "/var/lib/acme/challenges-kylekrein";
+            email = "alex.lebedev2003@icloud.com";
+            group = "nginx";
+	  extraDomainNames = [
+	    "matrix.kylekrein.com"
+	    "chat.kylekrein.com"
+	  ];
+        };
+    };
  };
-  services.nginx.enable = false;
+  users.users.nginx.extraGroups = [ "acme" ];
+  services.hypridle.enable = lib.mkForce false;
+  programs.hyprlock.enable = lib.mkForce false;
+  sops.secrets."services/conduwuit" = {neededForUsers = true;};
+  
+  services.conduwuit = {
+    enable = false;
+    settings = {
+      global = {
+	server_name = "kylekrein.com";
+	port = [ 6167 ];
+	trusted_servers = [ "matrix.org" ];
+	allow_registration = true;
+	allow_federation = true;
+	allow_encryption = true;
+      };
+    };
+    extraEnvironment = {
+      CONDUWUIT_REGISTRATION_TOKEN = "";
+      #CONDUWUIT_REGISTRATION_TOKEN_FILE = ''"${config.sops.secrets."services/conduwuit".path}"'';
+      CONDUWUIT_NEW_USER_DISPLAYNAME_SUFFIX = "🐝";
+      CONDUWUIT_REQUIRE_AUTH_FOR_PROFILE_REQUESTS = "true";
+      CONDUWUIT_ALLOW_LOCAL_PRESENCE = "true";
+    };
+  };
+  systemd.services.conduwuit.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    StateDirectory = lib.mkForce "/persist/conduwuit";
+    RuntimeDirectory = lib.mkForce "/persist/conduwuit/runtime";
+  };
+
+  services.nginx.enable = true;
  services.nginx = {
    # Use recommended settings
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
+    clientMaxBodySize = "20000000";
  };
  services.nginx.virtualHosts = let
    SSL = {
-      enableACME = true;
+      #enableACME = true;
      forceSSL = true;
+      useACMEHost = "kylekrein.com";
+      acmeRoot = "/var/lib/acme/challenges-kylekrein";
    }; in {
+      "kylekrein.com" = (SSL // {
+	listen = [{port = 443;  addr="0.0.0.0"; ssl=true;} {port = 8448;  addr="0.0.0.0"; ssl=true;}];
+        locations."/" = {
+          proxyPass = "http://localhost:6167";
+          proxyWebsockets = true;
+        };
+      });
      "chat.kylekrein.com" = (SSL // {
        locations."/" = {
-          proxyPass = "http://127.0.0.1:8080/";
+          proxyPass = "http://localhost:8080/";
+          proxyWebsockets = true;
+        };
+      });
+      "matrix.kylekrein.com" = (SSL // {
+	listen = [{port = 443;  addr="0.0.0.0"; ssl=true;} {port = 8448;  addr="0.0.0.0"; ssl=true;}];
+        locations."/" = {
+          proxyPass = "http://localhost:6167";
          proxyWebsockets = true;
        };
      });
    };
-  
+
  systemd.network.wait-online.enable = lib.mkForce false;
+};
 }
--- a/nixos/hosts/kylekrein-server/default.nix
+++ b/nixos/hosts/kylekrein-server/default.nix
@ -0,0 +1,161 @@
+{
+  options,
+  config,
+  pkgs,
+  lib,
+  hwconfig,
+  inputs,
+  ...
+}: {
+  imports = [
+   inputs.sops-nix.nixosModules.sops
+    inputs.stylix.nixosModules.stylix
+    inputs.nixos-facter-modules.nixosModules.facter
+    inputs.home-manager.nixosModules.default
+    inputs.disko.nixosModules.default
+    ../../modules/sops
+    ../../modules/services/autoupgrade
+ "${inputs.nixpkgs-unstable}/nixos/modules/services/matrix/conduwuit.nix"
+
+    ../../users/kylekrein
+    ./hardware.nix
+    ./networking.nix
+  ];
+options.services.conduwuit.settings.global.database_path = lib.mkOption { apply = old: "/persist/conduwuit/";};
+config = {
+  home-manager.users = lib.mkForce {};
+  stylix.image = ../../modules/hyprland/wallpaper.jpg;
+  #sops.secrets."ssh_keys/${hwconfig.hostname}" = {};
+  boot.tmp.cleanOnBoot = true;
+  boot.loader.systemd-boot.enable = true;
+   networking.hostName = hwconfig.hostname;
+users = {
+    mutableUsers = false;
+    users = {
+      root = {
+        # disable root login here, and also when installing nix by running nixos-install --no-root-passwd
+        # https://discourse.nixos.org/t/how-to-disable-root-user-account-in-configuration-nix/13235/3
+        hashedPassword = "!"; # disable root logins, nothing hashes to !
+      };
+    };
+  };
+  environment.systemPackages = with pkgs; [
+    neovim
+  ];
+   services.openssh = {
+            enable = true;
+            # require public key authentication for better security
+            settings.PasswordAuthentication = false;
+            settings.KbdInteractiveAuthentication = false;
+            settings.PermitRootLogin = "no";
+            #extraConfig = "HostKey ${config.sops.secrets."ssh_keys/${hwconfig.hostname}".path}";
+          };
+
+  zramSwap = {
+    enable = true; # Hopefully? helps with freezing when using swap
+  };
+  #Chat host
+  networking.firewall.allowedTCPPorts = [ 80 443 22 8448 ];
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "alex.lebedev2003@icloud.com";
+    certs = {
+        "kylekrein.com" = {
+            webroot = "/var/lib/acme/challenges-kylekrein";
+            email = "alex.lebedev2003@icloud.com";
+            group = "nginx";
+	  extraDomainNames = [
+	    "matrix.kylekrein.com"
+	    #"chat.kylekrein.com"
+	  ];
+        };
+    };
+  };
+  users.users.nginx.extraGroups = [ "acme" ];
+  sops.secrets."services/conduwuit" = {neededForUsers = true;};
+  
+  services.conduwuit = {
+    enable = true;
+    settings = {
+      global = {
+	server_name = "kylekrein.com";
+	port = [ 6167 ];
+	trusted_servers = [ "matrix.org" ];
+	#allow_registration = true;
+	allow_federation = true;
+	allow_encryption = true;
+      };
+    };
+    extraEnvironment = {
+      CONDUWUIT_REGISTRATION_TOKEN = "";
+      #CONDUWUIT_REGISTRATION_TOKEN_FILE = ''"${config.sops.secrets."services/conduwuit".path}"'';
+      CONDUWUIT_NEW_USER_DISPLAYNAME_SUFFIX = "🐝";
+      CONDUWUIT_REQUIRE_AUTH_FOR_PROFILE_REQUESTS = "true";
+      CONDUWUIT_ALLOW_LOCAL_PRESENCE = "true";
+    };
+  };
+  systemd.services.conduwuit.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    StateDirectory = lib.mkForce "/persist/conduwuit";
+    RuntimeDirectory = lib.mkForce "/persist/conduwuit/runtime";
+  };
+
+  services.nginx.enable = true;
+  services.nginx = {
+    # Use recommended settings
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    clientMaxBodySize = "20000000";
+  };
+  services.nginx.virtualHosts = let
+    SSL = {
+      #enableACME = true;
+      forceSSL = true;
+      useACMEHost = "kylekrein.com";
+      acmeRoot = "/var/lib/acme/challenges-kylekrein";
+    }; in {
+      "kylekrein.com" = (SSL // {
+	listen = [{port = 443;  addr="0.0.0.0"; ssl=true;} {port = 8448;  addr="0.0.0.0"; ssl=true;}];
+        locations."/" = {
+          proxyPass = "http://localhost:6167";
+          proxyWebsockets = true;
+        };
+      });
+      #"chat.kylekrein.com" = (SSL // {
+      #  locations."/" = {
+      #    proxyPass = "http://localhost:8080/";
+      #    proxyWebsockets = true;
+      #  };
+      #});
+      "matrix.kylekrein.com" = (SSL // {
+	listen = [{port = 443;  addr="0.0.0.0"; ssl=true;} {port = 8448;  addr="0.0.0.0"; ssl=true;}];
+        locations."/" = {
+          proxyPass = "http://localhost:6167";
+          proxyWebsockets = true;
+        };
+      });
+    };
+  system.stateVersion = "24.11";
+   nix = {
+            settings = {
+              experimental-features = [
+                "nix-command"
+                "flakes"
+              ];
+              auto-optimise-store = true;
+              substituters = [
+                "https://hyprland.cachix.org"
+                "https://nix-gaming.cachix.org"
+                "https://nix-community.cachix.org"
+              ];
+              trusted-public-keys = [
+                "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+                "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4="
+                "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+              ];
+            };
+          };
+};
+}
--- a/nixos/hosts/kylekrein-server/hardware.nix
+++ b/nixos/hosts/kylekrein-server/hardware.nix
@ -0,0 +1,28 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/4f7e141c-0fc7-415a-815d-944b36f93806";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eth0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
--- a/nixos/hosts/kylekrein-server/networking.nix
+++ b/nixos/hosts/kylekrein-server/networking.nix
@ -0,0 +1,32 @@
+{ lib, ... }: {
+  # This file was populated at runtime with the networking
+  # details gathered from the active system.
+  networking = {
+    nameservers = [ "8.8.8.8"
+ ];
+    defaultGateway = "172.31.1.1";
+    defaultGateway6 = {
+      address = "";
+      interface = "eth0";
+    };
+    dhcpcd.enable = false;
+    usePredictableInterfaceNames = lib.mkForce false;
+    interfaces = {
+      eth0 = {
+        ipv4.addresses = [
+          { address="91.99.0.169"; prefixLength=32; }
+        ];
+        ipv6.addresses = [
+          { address="fe80::9400:4ff:fe30:830e"; prefixLength=64; }
+        ];
+        ipv4.routes = [ { address = "172.31.1.1"; prefixLength = 32; } ];
+        ipv6.routes = [ { address = ""; prefixLength = 128; } ];
+      };
+      
+    };
+  };
+  services.udev.extraRules = ''
+    ATTR{address}=="96:00:04:30:83:0e", NAME="eth0"
+    
+  '';
+}