From 9531bff9294c113533865904c4998a6fae249807 Mon Sep 17 00:00:00 2001 From: Thierry Pouplier Date: Thu, 1 Jan 2026 02:25:11 -0500 Subject: [PATCH] chore: enhance system configuration with hardware sensors, GPU support, and security --- hosts/lazyworkhorse/configuration.nix | 152 ++++++++++++++++++++++---- 1 file changed, 131 insertions(+), 21 deletions(-) diff --git a/hosts/lazyworkhorse/configuration.nix b/hosts/lazyworkhorse/configuration.nix index 70284e3..f584ede 100644 --- a/hosts/lazyworkhorse/configuration.nix +++ b/hosts/lazyworkhorse/configuration.nix @@ -1,8 +1,8 @@ -# Edit this configuration file to define what should be installed on +# edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page, on # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). -{ config, lib, pkgs, paths, keys, ... }: +{ config, lib, pkgs, paths, self, keys, ... }: { # NAS Mounting @@ -29,7 +29,19 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = false; - boot.kernelModules = [ "nct6775" "lm63" ]; + # 1. Force the kernel to ignore BIOS resource locks + boot.kernelParams = [ + "acpi_enforce_resources=lax" + "nct6775.force_id=0xd120" # This forces the driver to ignore BIOS locks for NCT6116 + "transparent_hugepage=always" # because mucho ram + ]; + # 2. Load the specific drivers found by sensors-detect + boot.kernelModules = [ "nct6775" "lm96163" ]; + # 3. Force the nct6775 driver to recognize the chip if it's stubborn + boot.extraModprobeConfig = '' + options nct6775 force_id=0xd280 + ''; + boot.blacklistedKernelModules = [ "eeepc_wmi" ]; networking.hostName = "lazyworkhorse"; # Define your hostname. # Pick only one of the below networking options. @@ -58,6 +70,14 @@ LC_CTYPE = "en_CA.UTF-8"; }; + programs.zsh = { + enable = true; + autosuggestions.enable = true; + syntaxHighlighting.enable = true; + enableCompletion = true; + + setOptions = [ "HIST_IGNORE_ALL_DUPS" "SHARE_HISTORY" ]; + }; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; @@ -85,6 +105,7 @@ pulse.enable = true; }; + # Nix Helper cli tool environment.sessionVariables = { NH_FLAKE = paths.flake; }; @@ -95,19 +116,21 @@ # nvim please environment.variables.EDITOR = "nvim"; - # programs.firefox.enable = true; - # List packages installed in system profile. # You can use https://Search.nixos.org/ to find more packages (and options). environment.systemPackages = with pkgs; [ - agenix neovim docker-compose wget age + agenix git - nh lm_sensors + rocmPackages.rocminfo + rocmPackages.rocm-smi + clinfo + ncurses + kitty.terminfo ]; # Some programs need SUID wrappers, can be configured further or are @@ -123,7 +146,12 @@ # Enable the OpenSSH daemon services.openssh = { enable = true; - settings.PermitRootLogin = "no"; + ports = [ 22 2424 ]; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "prohibit-password"; + }; hostKeys = [ { path = "/etc/ssh/ssh_host_ed25519_key"; @@ -132,6 +160,77 @@ ]; }; + # services.ollama = { + # enable = true; + # acceleration = "rocm"; + # # Optional: force Ollama to use the MI50 target + # rocmOverrideGfx = "9.0.6"; + # environmentVariables = { + # ROCR_VISIBLE_DEVICES = "0,1"; + # # This helps with memory allocation on dual-GPU setups + # HSA_ENABLE_SDMA = "0"; + # }; + # }; + + services.dockerStacks = { + versioncontrol = { + path = self + "/assets/compose/versioncontrol"; + ports = [ 2222 ]; + }; + + network = { + path = self + "/assets/compose/network"; + envFile = config.age.secrets.containers_env.path; + ports = [ 80 443 ]; + }; + + passwordmanager = { + path = self + "/assets/compose/passwordmanager"; + }; + + ai = { + path = self + "/assets/compose/ai"; + envFile = config.age.secrets.containers_env.path; + }; + + cloudstorage = { + path = self + "/assets/compose/cloudstorage"; + envFile = config.age.secrets.containers_env.path; + }; + + homeautomation = { + path = self + "/assets/compose/homeautomation"; + envFile = config.age.secrets.containers_env.path; + }; + }; + + services.opencode = { + enable = true; + port = 4099; + ollamaUrl = "http://127.0.0.1:11434/v1"; + }; + + # services.systemd-fancon = { + # enable = true; + # config = '' + # [MI50_Cooling] + # # The lm96163 controller + # hwmon = hwmon0 + + # # Most lm96163 chips use pwm1 for the main fan header + # pwm = 1 + # pwm = 2 + + # # Watch both MI50 cards + # sensor = hwmon3/temp1_input + # sensor = hwmon4/temp1_input + + # # Servers cards need air early! + # # Starts spinning at 40C, full blast by 70C + # curve = 40:60 55:160 70:255 + # ''; + # }; + # Private host ssh key managed by agenix age = { identityPaths = paths.identities; @@ -150,6 +249,13 @@ mode = "0600"; path = "/etc/ssh/ssh_host_ed25519_key"; }; + n8n_ssh_key = { + file = ../../secrets/n8n_ssh_key.age; + owner = "root"; + group = "root"; + mode = "0600"; + path = "/home/n8n-worker/.ssh/n8n_ssh_key"; + }; }; }; @@ -161,19 +267,23 @@ services.zfs.autoSnapshot.enable = true; services.zfs.autoScrub.enable = true; - - # hardware.graphics = { - # enable = true; - # enable32Bit = true; - # extraPackages = with pkgs; [ - # rocmPackages.clr - # rocmPackages.rocblas - # rocmPackages.rocrand - # rocmPackages.rocminfo - # rocmPackages.hipcc - # rocmPackages.hiprt - # ]; - # }; + + # Mi50 config + hardware.graphics = { + enable = true; + enable32Bit = true; # Useful for some compatibility layers + extraPackages = with pkgs; [ + rocmPackages.clr.icd # OpenCL/HIP runtime + amdvlk # Vulkan drivers + ]; + }; + nixpkgs.config.rocmTargets = [ "gfx906" ]; + environment.variables = { + # This "tricks" ROCm into supporting the MI50 if using newer versions + HSA_OVERRIDE_GFX_VERSION = "9.0.6"; + # Ensures the system sees both GPUs + HIP_VISIBLE_DEVICES = "0,1"; + }; # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ];