gortium/infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: enhance system configuration with hardware sensors, GPU support, and security

Browse Source
This commit is contained in:
Thierry Pouplier
2026-01-01 02:25:11 -05:00
parent 0b4e9e092d
commit 9531bff929
1 changed files with 131 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

152
hosts/lazyworkhorse/configuration.nix
View File

@@ -1,8 +1,8 @@
# Edit this configuration file to define what should be installed on
# edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{ config, lib, pkgs, paths, keys, ... }:
{ config, lib, pkgs, paths, self, keys, ... }:
{
# NAS Mounting
@@ -29,7 +29,19 @@
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = false;
boot.kernelModules = [ "nct6775" "lm63" ];
# 1. Force the kernel to ignore BIOS resource locks
boot.kernelParams = [
"acpi_enforce_resources=lax"
"nct6775.force_id=0xd120" # This forces the driver to ignore BIOS locks for NCT6116
"transparent_hugepage=always" # because mucho ram
];
# 2. Load the specific drivers found by sensors-detect
boot.kernelModules = [ "nct6775" "lm96163" ];
# 3. Force the nct6775 driver to recognize the chip if it's stubborn
boot.extraModprobeConfig = ''
options nct6775 force_id=0xd280
'';
boot.blacklistedKernelModules = [ "eeepc_wmi" ];
networking.hostName = "lazyworkhorse"; # Define your hostname.
# Pick only one of the below networking options.
@@ -58,6 +70,14 @@
LC_CTYPE = "en_CA.UTF-8";
};
programs.zsh = {
enable = true;
autosuggestions.enable = true;
syntaxHighlighting.enable = true;
enableCompletion = true;
setOptions = [ "HIST_IGNORE_ALL_DUPS" "SHARE_HISTORY" ];
};
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
@@ -85,6 +105,7 @@
pulse.enable = true;
};
# Nix Helper cli tool
environment.sessionVariables = {
NH_FLAKE = paths.flake;
};
@@ -95,19 +116,21 @@
# nvim please
environment.variables.EDITOR = "nvim";
# programs.firefox.enable = true;
# List packages installed in system profile.
# You can use https://Search.nixos.org/ to find more packages (and options).
environment.systemPackages = with pkgs; [
agenix
neovim
docker-compose
wget
age
agenix
git
nh
lm_sensors
rocmPackages.rocminfo
rocmPackages.rocm-smi
clinfo
ncurses
kitty.terminfo
];
# Some programs need SUID wrappers, can be configured further or are
@@ -123,7 +146,12 @@
# Enable the OpenSSH daemon
services.openssh = {
enable = true;
settings.PermitRootLogin = "no";
ports = [ 22 2424 ];
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "prohibit-password";
};
hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";
@@ -132,6 +160,77 @@
];
};
# services.ollama = {
# enable = true;
# acceleration = "rocm";
# # Optional: force Ollama to use the MI50 target
# rocmOverrideGfx = "9.0.6";
# environmentVariables = {
# ROCR_VISIBLE_DEVICES = "0,1";
# # This helps with memory allocation on dual-GPU setups
# HSA_ENABLE_SDMA = "0";
# };
# };
services.dockerStacks = {
versioncontrol = {
path = self + "/assets/compose/versioncontrol";
ports = [ 2222 ];
};
network = {
path = self + "/assets/compose/network";
envFile = config.age.secrets.containers_env.path;
ports = [ 80 443 ];
};
passwordmanager = {
path = self + "/assets/compose/passwordmanager";
};
ai = {
path = self + "/assets/compose/ai";
envFile = config.age.secrets.containers_env.path;
};
cloudstorage = {
path = self + "/assets/compose/cloudstorage";
envFile = config.age.secrets.containers_env.path;
};
homeautomation = {
path = self + "/assets/compose/homeautomation";
envFile = config.age.secrets.containers_env.path;
};
};
services.opencode = {
enable = true;
port = 4099;
ollamaUrl = "http://127.0.0.1:11434/v1";
};
# services.systemd-fancon = {
# enable = true;
# config = ''
# [MI50_Cooling]
# # The lm96163 controller
# hwmon = hwmon0
# # Most lm96163 chips use pwm1 for the main fan header
# pwm = 1
# pwm = 2
# # Watch both MI50 cards
# sensor = hwmon3/temp1_input
# sensor = hwmon4/temp1_input
# # Servers cards need air early!
# # Starts spinning at 40C, full blast by 70C
# curve = 40:60 55:160 70:255
# '';
# };
# Private host ssh key managed by agenix
age = {
identityPaths = paths.identities;
@@ -150,6 +249,13 @@
mode = "0600";
path = "/etc/ssh/ssh_host_ed25519_key";
};
n8n_ssh_key = {
file = ../../secrets/n8n_ssh_key.age;
owner = "root";
group = "root";
mode = "0600";
path = "/home/n8n-worker/.ssh/n8n_ssh_key";
};
};
};
@@ -161,19 +267,23 @@
services.zfs.autoSnapshot.enable = true;
services.zfs.autoScrub.enable = true;
# hardware.graphics = {
# enable = true;
# enable32Bit = true;
# extraPackages = with pkgs; [
# rocmPackages.clr
# rocmPackages.rocblas
# rocmPackages.rocrand
# rocmPackages.rocminfo
# rocmPackages.hipcc
# rocmPackages.hiprt
# ];
# };
# Mi50 config
hardware.graphics = {
enable = true;
enable32Bit = true; # Useful for some compatibility layers
extraPackages = with pkgs; [
rocmPackages.clr.icd # OpenCL/HIP runtime
amdvlk # Vulkan drivers
];
};
nixpkgs.config.rocmTargets = [ "gfx906" ];
environment.variables = {
# This "tricks" ROCm into supporting the MI50 if using newer versions
HSA_OVERRIDE_GFX_VERSION = "9.0.6";
# Ensures the system sees both GPUs
HIP_VISIBLE_DEVICES = "0,1";
};
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];