julian/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions Releases Wiki Activity
dotfiles/systems/x86_64-linux/builder/default.nix

224 lines
5.9 KiB
Nix
Raw Blame History

# sudo nixos-rebuild switch --flake .#builder --target-host root@192.168.3.118
# or
# deploy .#builder
{ config, pkgs, ... }:
{
imports = [ ./hardware-configuration.nix ];
# hardware.graphics = {
# enable = true;
# extraPackages = with pkgs; [
# rocmPackages.clr.icd
# linuxPackages.amdgpu-pro
# ];
# };
# boot.kernelParams = [
# "radeon.si_support=0"
# "radeon.cik_support=1"
# "amdgpu.si_support=0"
# "amdgpu.cik_support=1"
# ];
# boot.extraModulePackages = with config.boot.kernelPackages; [ amdgpu-pro ];
# boot.blacklistedKernelModules = [ "radeon" ];
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
# Emulated systems used as alternative to cross-compiling
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
networking.hostName = "builder";
networking.networkmanager.enable = true;
time.timeZone = "Europe/Berlin";
modules = {
keymap.enable = true;
locales.enable = true;
};
users.users.nix = {
isNormalUser = true;
description = "Nix";
extraGroups = [
"networkmanager"
"wheel"
];
};
nix.settings.experimental-features = [
"nix-command"
"flakes"
];
# Setup binary caches
nix.settings = {
substituters = [
"https://nix-community.cachix.org"
"https://cache.nixos.org/"
];
trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ];
trusted-users = [ "nix" ];
max-jobs = "auto";
cores = 0;
};
# optimize store by hardlinking store files
nix.optimise.automatic = true;
nix.optimise.dates = [ "03:15" ];
nix.gc.automatic = true;
nix.gc.dates = "daily";
nix.gc.options = "--delete-old";
# nix.settings.keep-derivations = false;
# nix.settings.keep-outputs = true;
# Garbage collect up to 30 GiB when only 6 GiB storage left
nix.extraOptions = ''
min-free = ${toString (6 * 1024 * 1024 * 1024)}
max-free = ${toString (30 * 1024 * 1024 * 1024)}
'';
environment.systemPackages = with pkgs; [
vim
htop
mc
# # AMD GPU tools
# pciutils
# nvtopPackages.amd
# linuxPackages.amdgpu-pro
];
nix.nrBuildUsers = 64;
# prevent memory to get filled
systemd.services.nix-daemon.serviceConfig = {
MemoryAccounting = true;
MemoryMax = "90%";
OOMScoreAdjust = 500;
};
# Ollama used by open-webui as llm backend
services.ollama = {
enable = true;
# acceleration = "rocm";
};
services.open-webui = {
enable = true;
port = 8080;
openFirewall = true;
host = "builder.julian-mutter.de";
};
networking.firewall.allowedTCPPorts = [
80
];
services.openssh = {
enable = true;
# require public key authentication for better security
settings.PasswordAuthentication = true;
settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "yes";
};
users.users."root".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjSZYdoF/51F+ykcBAYVCzCPTF5EEigWBL1APiR0h+H julian@aspi"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFcS+3d1tNgHmYCjueymCV9Bd2LcJcKGhVobrDe3r0s julian@kardorf"
];
users.users."nix".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjSZYdoF/51F+ykcBAYVCzCPTF5EEigWBL1APiR0h+H julian@aspi"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHnfLJnS2SKUs47J0qpLTkk0LQA5quOuAhnxE6yppUDm root@kardorf"
];
# security.pam.sshAgentAuth.enable = true; # enable sudo via ssh
services.hydra = {
enable = true;
hydraURL = "http://hydra.julian-mutter.de"; # externally visible URL
port = 3000;
notificationSender = "hydra@julian-mutter.de"; # e-mail of hydra service
# a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines
# buildMachinesFiles = [ ];
# you will probably also want, otherwise *everything* will be built from scratch
useSubstitutes = true;
minimumDiskFree = 5; # in GB
minimumDiskFreeEvaluator = 4; # in GB
};
# add builder itself as build machine so system emulation is properly supported
# nix.distributedBuilds = true;
nix.buildMachines = [
{
hostName = "localhost";
protocol = null;
# sshUser = "nix";
systems = [
"x86_64-linux"
"aarch64-linux"
];
maxJobs = 4;
speedFactor = 3;
supportedFeatures = [
"nixos-test"
"benchmark"
"big-parallel"
"kvm"
];
}
];
# Uris allowed as flake inputs, otherwise hydra does not fetch them
nix.settings.allowed-uris = [
"github:"
"gitlab:"
"git+https://github.com/hyprwm/Hyprland"
"https://github.com/hyprwm/Hyprland"
"https://github"
"https://gitlab"
"https://gitlab.julian-mutter.de"
"git+https://gitlab.julian-mutter.de"
];
services.nginx = {
enable = true;
recommendedProxySettings = true;
# recommendedTlsSettings = true;
# other Nginx options
virtualHosts."hydra.julian-mutter.de" = {
# enableACME = true;
# forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
# proxyWebsockets = true; # needed if you need to use WebSocket
# extraConfig =
# # required when the target is also TLS server with multiple hosts
# "proxy_ssl_server_name on;" +
# # required when the server wants to use HTTP Authentication
# "proxy_pass_header Authorization;"
# ;
};
};
virtualHosts."binarycache.julian-mutter.de" = {
locations."/".proxyPass =
"http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
};
};
# =========== Binary Cache ==========
services.nix-serve = {
enable = true;
secretKeyFile = "/var/cache-priv-key.pem";
};
# ======================== DO NOT CHANGE THIS ========================
system.stateVersion = "23.11";
# ======================== DO NOT CHANGE THIS ========================
}
Reference in New Issue View Git Blame Copy Permalink