Fixed nvidia

server

flake.nix

@@ -104,6 +104,17 @@
             cudaSupport = true;
           };
         };
+    kylekrein-server-pkgs = nixpkgs: import nixpkgs {
+          system = x86;
+          overlays = [
+            #nativePackagesOverlay
+	    #ladybirdMaster
+          ];
+          config = {
+            allowBroken = true;
+            allowUnfree = true;
+          };
+        };
     kylekrein-mac-pkgs = nixpkgs: import nixpkgs {
           system = arm;
           overlays = [
@@ -200,6 +211,25 @@
           ./nixos/configuration.nix
         ];
       };
+      "kylekrein-server" = nixpkgs.lib.nixosSystem {
+        specialArgs = {
+          hwconfig = {
+            hostname = "kylekrein-server";
+            isLaptop = false;
+            system = x86;
+            useImpermanence = false;
+          };
+          inherit first-nixos-install;
+          inherit inputs;
+	  unstable-pkgs = kylekrein-server-pkgs nixpkgs-unstable;
+        };
+
+        system = x86;
+        pkgs = kylekrein-server-pkgs nixpkgs;
+        modules = [
+          ./nixos/hosts/kylekrein-server
+        ];
+      };
       "kylekrein-wsl" = nixpkgs.lib.nixosSystem {
         specialArgs = {
           hwconfig = {

nixos/hardware/nvidia/default.nix

@@ -36,18 +36,18 @@
     		nvidiaSettings = true;
 
     		# Optionally, you may need to select the appropriate driver version for your specific GPU.
-    		package = config.boot.kernelPackages.nvidiaPackages.latest;	
+    		#package = config.boot.kernelPackages.nvidiaPackages.latest;	
 	};
 		
 	logitech.wireless.enable = true;
   };
   services.xserver.videoDrivers = [ "nvidia" ];
-  #hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.mkDriver { #fixes https://github.com/NixOS/nixpkgs/issues/375730 temporary
+  hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.mkDriver { #fixes https://github.com/NixOS/nixpkgs/issues/375730 temporary
-   #   version = "570.86.16"; # use new 570 drivers
+      version = "570.133.07"; # use new 570 drivers
-    #  sha256_64bit = "sha256-RWPqS7ZUJH9JEAWlfHLGdqrNlavhaR1xMyzs8lJhy9U=";
+      sha256_64bit = "sha256-LUPmTFgb5e9VTemIixqpADfvbUX1QoTT2dztwI3E3CY=";
-     # openSha256 = "sha256-DuVNA63+pJ8IB7Tw2gM4HbwlOh1bcDg2AN2mbEU9VPE=";
+      openSha256 = "sha256-9l8N83Spj0MccA8+8R1uqiXBS0Ag4JrLPjrU3TaXHnM=";
-     # settingsSha256 = "sha256-9rtqh64TyhDF5fFAYiWl3oDHzKJqyOW3abpcf2iNRT8=";
+      settingsSha256 = "sha256-ZpuVZybW6CFN/gz9rx+UJvQ715FZnAOYfHn5jt5Z2C8=";
-     # usePersistenced = false;
+      usePersistenced = false;
-   # };
+    };
 	
 }

nixos/hosts/kylekrein-homepc/default.nix

@@ -1,4 +1,6 @@
 {
+  options,
+  config,
   pkgs,
   lib,
   hwconfig,
@@ -6,6 +8,7 @@
   ...
 }: {
   imports = [
+    "${inputs.nixpkgs-unstable}/nixos/modules/services/matrix/conduwuit.nix"
     ../../hardware/nvidia
 
     ../../modules/hyprland
@@ -21,7 +24,8 @@
 
     ../../users/tania
   ];
-
+options.services.conduwuit.settings.global.database_path = lib.mkOption { apply = old: "/persist/conduwuit/";};
+config = {
   sops.secrets."ssh_keys/${hwconfig.hostname}" = {};
   environment.systemPackages = with pkgs; [
     blender
@@ -34,6 +38,7 @@
   };
   services.zerotierone = {
     enable = true;
+    port = 9994;
     joinNetworks = [
       "A84AC5C10AD269CA"
       "db64858fed285e0f"
@@ -42,7 +47,7 @@
   #LLMs
   services.ollama = {
     enable = true;
-    loadModels = [ "deepseek-r1:32b" "deepseek-r1:8b" "qwq" "gemma3:27b"];
+    loadModels = [ "deepseek-r1:32b" "qwq" "gemma3:27b"];
     acceleration = "cuda";
     home = "/persist/ollama";
     user = "ollama";
@@ -67,31 +72,92 @@
   systemd.services.open-webui.serviceConfig.DynamicUser = lib.mkForce false;
 
   #Chat host
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.allowedTCPPorts = [ 80 443 22 8448 9993 ] ++ [ config.services.zerotierone.port ];
+  networking.firewall.allowedUDPPorts = [config.services.zerotierone.port];
   security.acme = {
     acceptTerms = true;
     defaults.email = "alex.lebedev2003@icloud.com";
+    certs = {
+        "kylekrein.com" = {
+            webroot = "/var/lib/acme/challenges-kylekrein";
+            email = "alex.lebedev2003@icloud.com";
+            group = "nginx";
+	  extraDomainNames = [
+	    "matrix.kylekrein.com"
+	    "chat.kylekrein.com"
+	  ];
         };
-  services.nginx.enable = false;
+    };
+  };
+  users.users.nginx.extraGroups = [ "acme" ];
+  services.hypridle.enable = lib.mkForce false;
+  programs.hyprlock.enable = lib.mkForce false;
+  sops.secrets."services/conduwuit" = {neededForUsers = true;};
+  
+  services.conduwuit = {
+    enable = false;
+    settings = {
+      global = {
+	server_name = "kylekrein.com";
+	port = [ 6167 ];
+	trusted_servers = [ "matrix.org" ];
+	allow_registration = true;
+	allow_federation = true;
+	allow_encryption = true;
+      };
+    };
+    extraEnvironment = {
+      CONDUWUIT_REGISTRATION_TOKEN = "";
+      #CONDUWUIT_REGISTRATION_TOKEN_FILE = ''"${config.sops.secrets."services/conduwuit".path}"'';
+      CONDUWUIT_NEW_USER_DISPLAYNAME_SUFFIX = "🐝";
+      CONDUWUIT_REQUIRE_AUTH_FOR_PROFILE_REQUESTS = "true";
+      CONDUWUIT_ALLOW_LOCAL_PRESENCE = "true";
+    };
+  };
+  systemd.services.conduwuit.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    StateDirectory = lib.mkForce "/persist/conduwuit";
+    RuntimeDirectory = lib.mkForce "/persist/conduwuit/runtime";
+  };
+
+  services.nginx.enable = true;
   services.nginx = {
     # Use recommended settings
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
+    clientMaxBodySize = "20000000";
   };
   services.nginx.virtualHosts = let
     SSL = {
-      enableACME = true;
+      #enableACME = true;
       forceSSL = true;
+      useACMEHost = "kylekrein.com";
+      acmeRoot = "/var/lib/acme/challenges-kylekrein";
     }; in {
+      "kylekrein.com" = (SSL // {
+	listen = [{port = 443;  addr="0.0.0.0"; ssl=true;} {port = 8448;  addr="0.0.0.0"; ssl=true;}];
+        locations."/" = {
+          proxyPass = "http://localhost:6167";
+          proxyWebsockets = true;
+        };
+      });
       "chat.kylekrein.com" = (SSL // {
         locations."/" = {
-          proxyPass = "http://127.0.0.1:8080/";
+          proxyPass = "http://localhost:8080/";
+          proxyWebsockets = true;
+        };
+      });
+      "matrix.kylekrein.com" = (SSL // {
+	listen = [{port = 443;  addr="0.0.0.0"; ssl=true;} {port = 8448;  addr="0.0.0.0"; ssl=true;}];
+        locations."/" = {
+          proxyPass = "http://localhost:6167";
           proxyWebsockets = true;
         };
       });
     };
 
   systemd.network.wait-online.enable = lib.mkForce false;
+};
 }

nixos/hosts/kylekrein-server/default.nix

@@ -0,0 +1,161 @@
+{
+  options,
+  config,
+  pkgs,
+  lib,
+  hwconfig,
+  inputs,
+  ...
+}: {
+  imports = [
+   inputs.sops-nix.nixosModules.sops
+    inputs.stylix.nixosModules.stylix
+    inputs.nixos-facter-modules.nixosModules.facter
+    inputs.home-manager.nixosModules.default
+    inputs.disko.nixosModules.default
+    ../../modules/sops
+    ../../modules/services/autoupgrade
+ "${inputs.nixpkgs-unstable}/nixos/modules/services/matrix/conduwuit.nix"
+
+    ../../users/kylekrein
+    ./hardware.nix
+    ./networking.nix
+  ];
+options.services.conduwuit.settings.global.database_path = lib.mkOption { apply = old: "/persist/conduwuit/";};
+config = {
+  home-manager.users = lib.mkForce {};
+  stylix.image = ../../modules/hyprland/wallpaper.jpg;
+  #sops.secrets."ssh_keys/${hwconfig.hostname}" = {};
+  boot.tmp.cleanOnBoot = true;
+  boot.loader.systemd-boot.enable = true;
+   networking.hostName = hwconfig.hostname;
+users = {
+    mutableUsers = false;
+    users = {
+      root = {
+        # disable root login here, and also when installing nix by running nixos-install --no-root-passwd
+        # https://discourse.nixos.org/t/how-to-disable-root-user-account-in-configuration-nix/13235/3
+        hashedPassword = "!"; # disable root logins, nothing hashes to !
+      };
+    };
+  };
+  environment.systemPackages = with pkgs; [
+    neovim
+  ];
+   services.openssh = {
+            enable = true;
+            # require public key authentication for better security
+            settings.PasswordAuthentication = false;
+            settings.KbdInteractiveAuthentication = false;
+            settings.PermitRootLogin = "no";
+            #extraConfig = "HostKey ${config.sops.secrets."ssh_keys/${hwconfig.hostname}".path}";
+          };
+
+  zramSwap = {
+    enable = true; # Hopefully? helps with freezing when using swap
+  };
+  #Chat host
+  networking.firewall.allowedTCPPorts = [ 80 443 22 8448 ];
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "alex.lebedev2003@icloud.com";
+    certs = {
+        "kylekrein.com" = {
+            webroot = "/var/lib/acme/challenges-kylekrein";
+            email = "alex.lebedev2003@icloud.com";
+            group = "nginx";
+	  extraDomainNames = [
+	    "matrix.kylekrein.com"
+	    #"chat.kylekrein.com"
+	  ];
+        };
+    };
+  };
+  users.users.nginx.extraGroups = [ "acme" ];
+  sops.secrets."services/conduwuit" = {neededForUsers = true;};
+  
+  services.conduwuit = {
+    enable = true;
+    settings = {
+      global = {
+	server_name = "kylekrein.com";
+	port = [ 6167 ];
+	trusted_servers = [ "matrix.org" ];
+	#allow_registration = true;
+	allow_federation = true;
+	allow_encryption = true;
+      };
+    };
+    extraEnvironment = {
+      CONDUWUIT_REGISTRATION_TOKEN = "";
+      #CONDUWUIT_REGISTRATION_TOKEN_FILE = ''"${config.sops.secrets."services/conduwuit".path}"'';
+      CONDUWUIT_NEW_USER_DISPLAYNAME_SUFFIX = "🐝";
+      CONDUWUIT_REQUIRE_AUTH_FOR_PROFILE_REQUESTS = "true";
+      CONDUWUIT_ALLOW_LOCAL_PRESENCE = "true";
+    };
+  };
+  systemd.services.conduwuit.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    StateDirectory = lib.mkForce "/persist/conduwuit";
+    RuntimeDirectory = lib.mkForce "/persist/conduwuit/runtime";
+  };
+
+  services.nginx.enable = true;
+  services.nginx = {
+    # Use recommended settings
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    clientMaxBodySize = "20000000";
+  };
+  services.nginx.virtualHosts = let
+    SSL = {
+      #enableACME = true;
+      forceSSL = true;
+      useACMEHost = "kylekrein.com";
+      acmeRoot = "/var/lib/acme/challenges-kylekrein";
+    }; in {
+      "kylekrein.com" = (SSL // {
+	listen = [{port = 443;  addr="0.0.0.0"; ssl=true;} {port = 8448;  addr="0.0.0.0"; ssl=true;}];
+        locations."/" = {
+          proxyPass = "http://localhost:6167";
+          proxyWebsockets = true;
+        };
+      });
+      #"chat.kylekrein.com" = (SSL // {
+      #  locations."/" = {
+      #    proxyPass = "http://localhost:8080/";
+      #    proxyWebsockets = true;
+      #  };
+      #});
+      "matrix.kylekrein.com" = (SSL // {
+	listen = [{port = 443;  addr="0.0.0.0"; ssl=true;} {port = 8448;  addr="0.0.0.0"; ssl=true;}];
+        locations."/" = {
+          proxyPass = "http://localhost:6167";
+          proxyWebsockets = true;
+        };
+      });
+    };
+  system.stateVersion = "24.11";
+   nix = {
+            settings = {
+              experimental-features = [
+                "nix-command"
+                "flakes"
+              ];
+              auto-optimise-store = true;
+              substituters = [
+                "https://hyprland.cachix.org"
+                "https://nix-gaming.cachix.org"
+                "https://nix-community.cachix.org"
+              ];
+              trusted-public-keys = [
+                "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+                "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4="
+                "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+              ];
+            };
+          };
+};
+}

nixos/hosts/kylekrein-server/hardware.nix

@@ -0,0 +1,28 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/4f7e141c-0fc7-415a-815d-944b36f93806";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eth0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

nixos/hosts/kylekrein-server/networking.nix

@@ -0,0 +1,32 @@
+{ lib, ... }: {
+  # This file was populated at runtime with the networking
+  # details gathered from the active system.
+  networking = {
+    nameservers = [ "8.8.8.8"
+ ];
+    defaultGateway = "172.31.1.1";
+    defaultGateway6 = {
+      address = "";
+      interface = "eth0";
+    };
+    dhcpcd.enable = false;
+    usePredictableInterfaceNames = lib.mkForce false;
+    interfaces = {
+      eth0 = {
+        ipv4.addresses = [
+          { address="91.99.0.169"; prefixLength=32; }
+        ];
+        ipv6.addresses = [
+          { address="fe80::9400:4ff:fe30:830e"; prefixLength=64; }
+        ];
+        ipv4.routes = [ { address = "172.31.1.1"; prefixLength = 32; } ];
+        ipv6.routes = [ { address = ""; prefixLength = 128; } ];
+      };
+      
+    };
+  };
+  services.udev.extraRules = ''
+    ATTR{address}=="96:00:04:30:83:0e", NAME="eth0"
+    
+  '';
+}

nixos/modules/hyprland/hypridle.nix

@@ -1,11 +1,11 @@
-{ pkgs, lib, ... }:
+{ pkgs, lib, hwconfig, ... }:
 let
 suspendScript = pkgs.writeShellScript "suspend-script" ''
     # check if any player has status "Playing"
     ${lib.getExe pkgs.playerctl} -a status | ${lib.getExe pkgs.ripgrep} Playing -q
     # only suspend if nothing is playing
     if [ $? == 1 ]; then
-      ${pkgs.systemd}/bin/systemctl suspend
+      ${if hwconfig.isLaptop then "${pkgs.systemd}/bin/systemctl suspend" else "loginctl lock-session"}
     fi
   '';
 in

nixos/modules/impermanence/default.nix

@@ -20,6 +20,8 @@ in {
       "/var/lib/flatpak"
       "/var/lib/zerotier-one"
       "/var/lib/systemd/coredump"
+      "/var/lib/acme"
+      #"/var/lib/conduwuit"
       "/etc/NetworkManager/system-connections"
       {
         directory = "/var/lib/colord";
@@ -40,6 +42,7 @@ in {
     "d /persist/home/ 0777 root root -" # /persist/home created, owned by root
     "d /persist/ollama/ 0755 ollama ollama"
     "d /persist/open-webui/ 0755 ollama ollama"
+    "d /persist/conduwuit/ 0755 conduwuit conduwuit"
     #"d /persist/home/${username} 0700 ${username} users -" # /persist/home/<user> created, owned by that user
     #"d /persist/nixos-config 0700 ${username} users -"
   ];

nixos/modules/sops/secrets/secrets.yaml

@@ -5,6 +5,8 @@ users:
 ssh_keys:
     kylekrein-mac: ENC[AES256_GCM,data:Gnh34OQWO6eQfNfyYZsVfvktknmZorQYF+lNMKYvV7XkKjZ3RQNHyJ3UWOX+sVwWdtF7EboXkBPdHvnyLvDVIyv7trxTU5IXQzOI+34AKfPHa828HuOLk0AclCmm6GcNq/X4dKTX5DADG4cE4/V+KtdjvSMtLX7I1cjlfsN7JzcsnjERbK8Q0pTMuA44IUdnh0odH9xFEP/f/hVZZZhc5vrMfAqSx3lQxCF62c0wJaorobsPSM7BTzorVgnMnc3zJRAlgQnCnAe306/6g4hurBteIVeGFhA8gSk1fjZh2fm0opo/lgvHRJOwfpvRWJGEedx7hEpjsDr8BRxeBc2OHaRO5UP+fYh8Qtki8ZeFUjr/psjRRz128Kr0C+NS0AByZtwg54d705uwsnf79jPdM1ewGryCcsxqYWCvT0174cIg3sLdQvPnESbV1zU+QsVskFZwYL+gLtzuAwExPW7cM12M/HS+Eb5xtWvRA46FZ/dnKFwQkUA/VgSi08eC5/EYg8dFBht9hDK+kiLPGHML8A6a3CoiMf0pd+DbdOxA21F0Tw==,iv:oEXxrvWosuiH2wSoSkP7YMwBQu3JKIhn/YeiaTL/UT4=,tag:XgBw2q/6LPWg2zuOC9Wb+w==,type:str]
     kylekrein-homepc: ENC[AES256_GCM,data:/7b7wHk9jX+2Gel3157KO4YHia+IyEurUic0BX9flNKdsjIyG/3N8lORAkIjwnPlFaN2VqGu6o1pFgW2dzkSAyATQIUeWpqL5rjxsG3mJ9/9TLh58Y7MIpFKx2r8AeUY0xEAhT1A4BCbnDMsneQtM9gBkgPdhhv6vVpe4XJS3n+dGPER/bQxxRbEt260EjxvL1OPf5C7Z7qNVhOzxNdgdJMQvXxyhRGlXRrrHFRdbw0nChStevgBL4+FoMuBFkqF/aJSoapwe8PNxp8z+Hk5Em+BQv/ieFcscESssCK1gSbvfz6MQyX+5ig+Gy+t28yy56/ir44PHwX47IOILzg7lABSvN+Uyt+sRKyBfx124hJjqgXf65YQ/fgknQt0NDKwZyP/gPSLC9HiLKdva/P9nuenfSnlLrGtfugejBAVQBMOP2HTp/ZKtveeKLVIzM7NLeHAw8ul1OL8OlOgyO3vhEkEVagLwtQYHqwoF7+z30TzTtGyDzuhohbhUH36D8BD/LTaPHxnnVIzWq/IBOmAU06U/EvS5x/JJtqMm8aaDFFEYA==,iv:+4umMhsr8s0IuiYuEdhDAOfLjAELEHbFVvWqaVyF2yQ=,tag:eE9gCZ3pC4wDLeMs5cQGZg==,type:str]
+services:
+    conduwuit: ENC[AES256_GCM,data:1shEq67QJTkeqrfYSr/eYG7gYWH//5ey6XQ=,iv:hy5wQmue8qU4ALfn9BrNQLnsTk8BsVVXY/8bDj18mXk=,tag:h6+hL0HjgSzd15Kc7Zg4ng==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -20,8 +22,8 @@ sops:
             M0hSNWNYbGM3a21McUVMaGNqWTdmNTQK3VRFV4EaC8K8AJi2PUt6TeBgueEmPLI8
             Vdwwbh89+xD5xf4Zm0LctPRlxxM6diubv0gIZZPy/ZXZfiU32ZnM0w==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-21T18:58:11Z"
+    lastmodified: "2025-04-02T14:08:10Z"
-    mac: ENC[AES256_GCM,data:8MZQ486ZMZ6aH71vR7VE1qAmS6Yg2+cVVIrb16aq744/YtennNl70lSkGrpTU2asFaN1tBOkuL5pnhJmJfLIHzI94oQOUZonSoG50HHpo2deTVZLRVqcZjiKobJKA23aChqTI+VR1KM3XCO7KTkjCGt8Kj2r/J9yfjmxh+tmrOo=,iv:n7QK6mH9Y805n3t2KBLw8wgTLaistdk6TYVlKvaTQm0=,tag:2au0n94JerEdNTpq5BFrtQ==,type:str]
+    mac: ENC[AES256_GCM,data:ATGlRrgS1LilKyMpLHPlQj9NV6eK8IaDr36KjFcyMsslzq68Zw/s14C+RjMUYT8dQkzymMxhxh9jAsPtS/J81XFG4RMl7mo6KNmhpPKEkzBuP0cAAIXgSrF4dovveI0imxxsjBba4iOi6Syjo/myg2dGpFwgU1/OgJ2suwB07ME=,iv:37UDQfMvk/o2BByZQfY9ry7ETCC2zU8K+EoRjGHKykc=,tag:wUFJ0fZMt4RZTM3oLJ2YaA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.4