khasdkasdk'

flake.nix

@@ -120,10 +120,12 @@
   nixConfig.extra-substituters = [
     "https://nix-community.cachix.org?priority=1" # less is more /shrug
     "https://numtide.cachix.org" # dead? https://github.com/numtide/nixpkgs-unfree/commit/399ae17bda97a0318a0c5316edb169d097a776dc
+    "https://cache.flox.dev" # https://flox.dev/blog/flox-the-nix-foundation-and-nvidia-partner-for-cuda/
   ];
   nixConfig.extra-trusted-public-keys = [
     "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
     "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
+    "flox-cache-public-1:7F4OyH7ZCnFhcze3fJdfyXYLQw/aV7GEed86nQ7IsOs="
   ];
 
   outputs = { self, ... } @ inputs':

hardware/gpu/cuda-common.nix

@@ -27,12 +27,17 @@ lib.mkMerge [
   nixpkgs.config.vaapiSupport  = true;
   nixpkgs.config.nvidiaSupport = true;
 
-  nixpkgs.config.allowUnfreePredicate = pkg: lib.any (x: x) [
-    (lib.hasInfix "nvidia"  (lib.toLower (lib.getName pkg)))
-    (lib.hasInfix "cuda"    (lib.toLower (lib.getName pkg)))
-    (lib.hasInfix "cudnn"   (lib.toLower (lib.getName pkg)))
-    (lib.hasInfix "cublas"  (lib.toLower (lib.getName pkg)))
-  ];
+  nixpkgs.config.allowUnfreePredicate =
+    pkg:
+    let
+      pkgname = (lib.toLower (lib.getName pkg));
+    in
+    lib.any (x: x) [
+      (lib.hasInfix "nvidia" pkgname)
+      (lib.hasInfix "cuda"   pkgname)
+      (lib.hasInfix "cudnn"  pkgname)
+      (lib.hasInfix "cublas" pkgname)
+    ];
 
 }
 /* lib.mkIf (lib.versionAtLeast (lib.versions.majorMinor lib.version) "24.11") { */

profiles/base/default.nix

@@ -20,6 +20,18 @@
     (import ./../../overlays/wl-clipboard-timeout.nix)
   ];
 
+  # TODO: selectively whitelist
+  nixpkgs.config.allowUnfree = true;
+  # nixpkgs.config.allowAliases = false;
+  # nixpkgs.config.warnAliases = true;
+  nixpkgs.config.nonfreeLicensing = true; # used by ffmpeg
+
+  # TODO:
+  # nixpkgs.config.allowUnfreePredicate = drv: lib.elem (lib.getName drv) [
+  #   pkgs.davinci-resolve.pname
+  #   pkgs.intel-ocl.pname
+  # ];
+
   nixpkgs.config.permittedInsecurePackages = [
     pkgs.pulsar.name # TODO: remove once electron is bumped
     pkgs.zotero.name
@@ -46,13 +58,6 @@
     pkgs.weston
   ]);
 
-  # TODO: selectively whitelist
-  nixpkgs.config.allowUnfree = true;
-  # nixpkgs.config.allowAliases = false;
-  # nixpkgs.config.warnAliases = true;
-  nixpkgs.config.allowUnfreePredicate = pkg: true;
-  nixpkgs.config.nonfreeLicensing = true; # used by ffmpeg
-
   # apply microcode to fix functional and security issues
   hardware.enableRedistributableFirmware = true;
   hardware.cpu.amd.updateMicrocode = pkgs.stdenv.isx86_64;

profiles/known-hosts/hosts.toml

@@ -67,6 +67,7 @@ buildMachine.systems = ["x86_64-linux", "i686-linux", "riscv64-linux"]
 # buildMachine.maxJobs = 3 # 12 threads 32GB
 buildMachine.speedFactor = 3 # i7-5820K
 buildMachine.supportedFeatures = ["kvm", "nixos-test", "ccache" ]
+buildMachine.protocol = "ssh-ng"
 # useAsSubstituter = true
 ssh.listenPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH03MEINNnjBvtmvN2QsCDCLkvF9ow5FQJp9uiyQ1Iwi"
 ssh.proxyJump = "login.stud.ntnu.no" # login.pvv.ntnu.no
@@ -79,6 +80,7 @@ buildMachine.systems = ["x86_64-linux", "i686-linux", "riscv64-linux"]
 buildMachine.maxJobs = 2 # 8 threads 32GB
 buildMachine.speedFactor = 4 # i7-6700
 buildMachine.supportedFeatures = ["kvm", "nixos-test", "cuda" ] #, "ccache" ] # no ccache because we have yet to setup distributed ccache
+buildMachine.protocol = "ssh-ng"
 ssh.listenPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOkcZ3cUAKk8uUvZPsX7PDBInkb3Eps3Xh+xVrhPY+sx"
 ssh.proxyJump = "login.stud.ntnu.no" # login.pvv.ntnu.no
 # ssh.connectTimeout = 3
@@ -213,6 +215,7 @@ ssh.connectTimeout = 10
 ssh.listenUser = "pbsds"
 ssh.listenPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKMHhlcn7fUpUuiOFeIhDqBzBNFsbNqq+NpzuGX3e6zv"
 ssh.userPrivateKey = "/run/secrets/nix-community-builders-ssh-key"
+# TODO: max-silent-time
 
 ["aarch64-build-box.nix-community.org"] # https://nix-community.org/community-builder/
 buildMachine.systems = [ "aarch64-linux" ]
@@ -223,6 +226,7 @@ ssh.connectTimeout = 10
 ssh.listenUser = "pbsds"
 ssh.listenPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG9uyfhyli+BRtk64y+niqtb+sKquRGGZ87f4YRc8EE1"
 ssh.userPrivateKey = "/run/secrets/nix-community-builders-ssh-key"
+# TODO: max-silent-time
 
 # ["eu.nixbuild.net"]
 # https://docs.nixbuild.net/getting-started/index.html

profiles/tailscale-exit-node.nix

@@ -1,5 +1,13 @@
 { config, ... }:
 
+let
+  exitNodeFlags = [
+    "--advertise-exit-node"
+    # "--exit-node-allow-lan-access"
+    # "--exit-node-allow-incoming-wan-access"
+  ];
+in
+
 {
   # exit nodes must be approved in admin interface
   # https://login.tailscale.com/admin/machines
@@ -10,8 +18,8 @@
   # or maybe even
   #     sudo systemctl start tailscaled-set
   services.tailscale.useRoutingFeatures = "both";
-  services.tailscale.extraSetFlags = [ "--advertise-exit-node" ];
-  services.tailscale.extraUpFlags = [ "--advertise-exit-node" ];
+  services.tailscale.extraSetFlags = exitNodeFlags;
+  services.tailscale.extraUpFlags = exitNodeFlags;
 
   # # Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups
   # # https://github.com/tailscale/tailscale/issues/4432#issuecomment-1112819111

users/pbsds/home/profiles/shell.nix

@@ -190,6 +190,7 @@ in
 
   home.shellAliases.kaomoji = "curl -s 'https://kaomoji.ru/en/' | htmlq tr td span --text | grep . | shuf | head -n1";
 
+  # home.shellAliases.swgl = "env LIBGL_ALWAYS_SOFTWARE=true GALLIUM_DRIVER=softpipe __GLX_VENDOR_LIBRARY_NAME=mesa ";
   home.shellAliases.swgl = "env LIBGL_ALWAYS_SOFTWARE=true GALLIUM_DRIVER=llvmpipe __GLX_VENDOR_LIBRARY_NAME=mesa ";
 
   home.packages = lib.filter (x: x != null) (with pkgs; [