chore: enhance system configuration with hardware sensors, GPU support, and security

hosts/lazyworkhorse/configuration.nix

@@ -1,8 +1,8 @@
-# Edit this configuration file to define what should be installed on
+# edit this configuration file to define what should be installed on
 # your system. Help is available in the configuration.nix(5) man page, on
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
 
-{ config, lib, pkgs, paths, keys, ... }:
+{ config, lib, pkgs, paths, self, keys, ... }:
 
 {
   # NAS Mounting
@@ -29,7 +29,19 @@
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = false;
 
-  boot.kernelModules = [ "nct6775" "lm63" ];
+  # 1. Force the kernel to ignore BIOS resource locks
+  boot.kernelParams = [ 
+    "acpi_enforce_resources=lax" 
+    "nct6775.force_id=0xd120" # This forces the driver to ignore BIOS locks for NCT6116
+    "transparent_hugepage=always" # because mucho ram
+  ];
+  # 2. Load the specific drivers found by sensors-detect
+  boot.kernelModules = [ "nct6775" "lm96163" ];
+  # 3. Force the nct6775 driver to recognize the chip if it's stubborn
+  boot.extraModprobeConfig = ''
+    options nct6775 force_id=0xd280
+  '';
+
   boot.blacklistedKernelModules = [ "eeepc_wmi" ];
   networking.hostName = "lazyworkhorse"; # Define your hostname.
   # Pick only one of the below networking options.
@@ -58,6 +70,14 @@
     LC_CTYPE = "en_CA.UTF-8";
   };
 
+  programs.zsh = {
+    enable = true;
+    autosuggestions.enable = true;
+    syntaxHighlighting.enable = true;
+    enableCompletion = true;
+  
+    setOptions = [ "HIST_IGNORE_ALL_DUPS" "SHARE_HISTORY" ]; 
+  };
   # Configure network proxy if necessary
   # networking.proxy.default = "http://user:password@proxy:port/";
   # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
@@ -85,6 +105,7 @@
     pulse.enable = true;
   };
 
+  # Nix Helper cli tool
   environment.sessionVariables = {
     NH_FLAKE = paths.flake;
   };
@@ -95,19 +116,21 @@
   # nvim please
   environment.variables.EDITOR = "nvim";
 
-  # programs.firefox.enable = true;
-
   # List packages installed in system profile.
   # You can use https://Search.nixos.org/ to find more packages (and options).
   environment.systemPackages = with pkgs; [
-    agenix
     neovim
     docker-compose
     wget
     age
+    agenix
     git
-    nh
     lm_sensors
+    rocmPackages.rocminfo
+    rocmPackages.rocm-smi
+    clinfo
+    ncurses
+    kitty.terminfo
   ];
 
   # Some programs need SUID wrappers, can be configured further or are
@@ -123,7 +146,12 @@
   # Enable the OpenSSH daemon
   services.openssh = {
     enable = true;
-    settings.PermitRootLogin = "no";
+    ports = [ 22 2424 ];
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      PermitRootLogin = "prohibit-password"; 
+    };
     hostKeys = [
       {
         path = "/etc/ssh/ssh_host_ed25519_key";
@@ -132,6 +160,77 @@
     ];
   };
 
+  # services.ollama = {
+  #   enable = true;
+  #   acceleration = "rocm";
+  #   # Optional: force Ollama to use the MI50 target
+  #   rocmOverrideGfx = "9.0.6"; 
+  #   environmentVariables = {
+  #     ROCR_VISIBLE_DEVICES = "0,1";
+  #     # This helps with memory allocation on dual-GPU setups
+  #     HSA_ENABLE_SDMA = "0"; 
+  #   };
+  # };
+
+  services.dockerStacks = {
+    versioncontrol = {
+      path = self + "/assets/compose/versioncontrol";
+      ports = [ 2222 ];
+    };
+    
+    network = {
+      path = self + "/assets/compose/network";
+      envFile = config.age.secrets.containers_env.path;
+      ports = [ 80 443 ];
+    };
+
+    passwordmanager = {
+      path = self + "/assets/compose/passwordmanager";
+    };
+
+    ai = {
+      path = self + "/assets/compose/ai";
+      envFile = config.age.secrets.containers_env.path;
+    };
+
+    cloudstorage = {
+      path = self + "/assets/compose/cloudstorage";
+      envFile = config.age.secrets.containers_env.path;
+    };
+
+    homeautomation = {
+      path = self + "/assets/compose/homeautomation";
+      envFile = config.age.secrets.containers_env.path;
+    };
+  };
+
+  services.opencode = {
+    enable = true;
+    port = 4099;
+    ollamaUrl = "http://127.0.0.1:11434/v1"; 
+  };
+
+  # services.systemd-fancon = {
+  #   enable = true;
+  #   config = ''
+  #   [MI50_Cooling]
+  #   # The lm96163 controller
+  #   hwmon = hwmon0
+    
+  #   # Most lm96163 chips use pwm1 for the main fan header
+  #   pwm = 1
+  #   pwm = 2
+
+  #   # Watch both MI50 cards
+  #   sensor = hwmon3/temp1_input
+  #   sensor = hwmon4/temp1_input
+    
+  #   # Servers cards need air early! 
+  #   # Starts spinning at 40C, full blast by 70C
+  #   curve = 40:60 55:160 70:255
+  #   '';
+  # };
+
   # Private host ssh key managed by agenix
   age = {
     identityPaths = paths.identities;
@@ -150,6 +249,13 @@
         mode = "0600";
         path = "/etc/ssh/ssh_host_ed25519_key";
       };
+      n8n_ssh_key = {
+        file = ../../secrets/n8n_ssh_key.age;
+        owner = "root";
+        group = "root";
+        mode = "0600";
+        path = "/home/n8n-worker/.ssh/n8n_ssh_key";
+      };
     };
   };
 
@@ -162,18 +268,22 @@
   services.zfs.autoSnapshot.enable = true;
   services.zfs.autoScrub.enable = true;
   
-  # hardware.graphics = {
+  # Mi50 config
-  #   enable = true;
+  hardware.graphics = {
-  #   enable32Bit = true;
+    enable = true;
-  #   extraPackages = with pkgs; [
+    enable32Bit = true; # Useful for some compatibility layers
-  #     rocmPackages.clr
+    extraPackages = with pkgs; [
-  #     rocmPackages.rocblas
+      rocmPackages.clr.icd # OpenCL/HIP runtime
-  #     rocmPackages.rocrand
+      amdvlk               # Vulkan drivers
-  #     rocmPackages.rocminfo
+    ];
-  #     rocmPackages.hipcc
+  };
-  #     rocmPackages.hiprt
+  nixpkgs.config.rocmTargets = [ "gfx906" ];
-  #   ];
+  environment.variables = {
-  # };
+    # This "tricks" ROCm into supporting the MI50 if using newer versions
+    HSA_OVERRIDE_GFX_VERSION = "9.0.6";
+    # Ensures the system sees both GPUs
+    HIP_VISIBLE_DEVICES = "0,1";
+  };
 
  # Open ports in the firewall.
   # networking.firewall.allowedTCPPorts = [ ... ];