diff --git a/flake.nix b/flake.nix index f2bb0eb..f9e96a6 100644 --- a/flake.nix +++ b/flake.nix @@ -120,10 +120,12 @@ nixConfig.extra-substituters = [ "https://nix-community.cachix.org?priority=1" # less is more /shrug "https://numtide.cachix.org" # dead? https://github.com/numtide/nixpkgs-unfree/commit/399ae17bda97a0318a0c5316edb169d097a776dc + "https://cache.flox.dev" # https://flox.dev/blog/flox-the-nix-foundation-and-nvidia-partner-for-cuda/ ]; nixConfig.extra-trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE=" + "flox-cache-public-1:7F4OyH7ZCnFhcze3fJdfyXYLQw/aV7GEed86nQ7IsOs=" ]; outputs = { self, ... } @ inputs': diff --git a/hardware/gpu/cuda-common.nix b/hardware/gpu/cuda-common.nix index d7cf636..fe74a62 100644 --- a/hardware/gpu/cuda-common.nix +++ b/hardware/gpu/cuda-common.nix @@ -27,12 +27,17 @@ lib.mkMerge [ nixpkgs.config.vaapiSupport = true; nixpkgs.config.nvidiaSupport = true; - nixpkgs.config.allowUnfreePredicate = pkg: lib.any (x: x) [ - (lib.hasInfix "nvidia" (lib.toLower (lib.getName pkg))) - (lib.hasInfix "cuda" (lib.toLower (lib.getName pkg))) - (lib.hasInfix "cudnn" (lib.toLower (lib.getName pkg))) - (lib.hasInfix "cublas" (lib.toLower (lib.getName pkg))) - ]; + nixpkgs.config.allowUnfreePredicate = + pkg: + let + pkgname = (lib.toLower (lib.getName pkg)); + in + lib.any (x: x) [ + (lib.hasInfix "nvidia" pkgname) + (lib.hasInfix "cuda" pkgname) + (lib.hasInfix "cudnn" pkgname) + (lib.hasInfix "cublas" pkgname) + ]; } /* lib.mkIf (lib.versionAtLeast (lib.versions.majorMinor lib.version) "24.11") { */ diff --git a/profiles/base/default.nix b/profiles/base/default.nix index d242770..4701ded 100644 --- a/profiles/base/default.nix +++ b/profiles/base/default.nix @@ -20,6 +20,18 @@ (import ./../../overlays/wl-clipboard-timeout.nix) ]; + # TODO: selectively whitelist + nixpkgs.config.allowUnfree = true; + # nixpkgs.config.allowAliases = false; + # nixpkgs.config.warnAliases = true; + nixpkgs.config.nonfreeLicensing = true; # used by ffmpeg + + # TODO: + # nixpkgs.config.allowUnfreePredicate = drv: lib.elem (lib.getName drv) [ + # pkgs.davinci-resolve.pname + # pkgs.intel-ocl.pname + # ]; + nixpkgs.config.permittedInsecurePackages = [ pkgs.pulsar.name # TODO: remove once electron is bumped pkgs.zotero.name @@ -46,13 +58,6 @@ pkgs.weston ]); - # TODO: selectively whitelist - nixpkgs.config.allowUnfree = true; - # nixpkgs.config.allowAliases = false; - # nixpkgs.config.warnAliases = true; - nixpkgs.config.allowUnfreePredicate = pkg: true; - nixpkgs.config.nonfreeLicensing = true; # used by ffmpeg - # apply microcode to fix functional and security issues hardware.enableRedistributableFirmware = true; hardware.cpu.amd.updateMicrocode = pkgs.stdenv.isx86_64; diff --git a/profiles/known-hosts/hosts.toml b/profiles/known-hosts/hosts.toml index 82047eb..f2316d1 100644 --- a/profiles/known-hosts/hosts.toml +++ b/profiles/known-hosts/hosts.toml @@ -67,6 +67,7 @@ buildMachine.systems = ["x86_64-linux", "i686-linux", "riscv64-linux"] # buildMachine.maxJobs = 3 # 12 threads 32GB buildMachine.speedFactor = 3 # i7-5820K buildMachine.supportedFeatures = ["kvm", "nixos-test", "ccache" ] +buildMachine.protocol = "ssh-ng" # useAsSubstituter = true ssh.listenPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH03MEINNnjBvtmvN2QsCDCLkvF9ow5FQJp9uiyQ1Iwi" ssh.proxyJump = "login.stud.ntnu.no" # login.pvv.ntnu.no @@ -79,6 +80,7 @@ buildMachine.systems = ["x86_64-linux", "i686-linux", "riscv64-linux"] buildMachine.maxJobs = 2 # 8 threads 32GB buildMachine.speedFactor = 4 # i7-6700 buildMachine.supportedFeatures = ["kvm", "nixos-test", "cuda" ] #, "ccache" ] # no ccache because we have yet to setup distributed ccache +buildMachine.protocol = "ssh-ng" ssh.listenPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOkcZ3cUAKk8uUvZPsX7PDBInkb3Eps3Xh+xVrhPY+sx" ssh.proxyJump = "login.stud.ntnu.no" # login.pvv.ntnu.no # ssh.connectTimeout = 3 @@ -213,6 +215,7 @@ ssh.connectTimeout = 10 ssh.listenUser = "pbsds" ssh.listenPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKMHhlcn7fUpUuiOFeIhDqBzBNFsbNqq+NpzuGX3e6zv" ssh.userPrivateKey = "/run/secrets/nix-community-builders-ssh-key" +# TODO: max-silent-time ["aarch64-build-box.nix-community.org"] # https://nix-community.org/community-builder/ buildMachine.systems = [ "aarch64-linux" ] @@ -223,6 +226,7 @@ ssh.connectTimeout = 10 ssh.listenUser = "pbsds" ssh.listenPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG9uyfhyli+BRtk64y+niqtb+sKquRGGZ87f4YRc8EE1" ssh.userPrivateKey = "/run/secrets/nix-community-builders-ssh-key" +# TODO: max-silent-time # ["eu.nixbuild.net"] # https://docs.nixbuild.net/getting-started/index.html diff --git a/profiles/tailscale-exit-node.nix b/profiles/tailscale-exit-node.nix index 4d867f4..0461afe 100644 --- a/profiles/tailscale-exit-node.nix +++ b/profiles/tailscale-exit-node.nix @@ -1,5 +1,13 @@ { config, ... }: +let + exitNodeFlags = [ + "--advertise-exit-node" + # "--exit-node-allow-lan-access" + # "--exit-node-allow-incoming-wan-access" + ]; +in + { # exit nodes must be approved in admin interface # https://login.tailscale.com/admin/machines @@ -10,8 +18,8 @@ # or maybe even # sudo systemctl start tailscaled-set services.tailscale.useRoutingFeatures = "both"; - services.tailscale.extraSetFlags = [ "--advertise-exit-node" ]; - services.tailscale.extraUpFlags = [ "--advertise-exit-node" ]; + services.tailscale.extraSetFlags = exitNodeFlags; + services.tailscale.extraUpFlags = exitNodeFlags; # # Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups # # https://github.com/tailscale/tailscale/issues/4432#issuecomment-1112819111 diff --git a/users/pbsds/home/profiles/shell.nix b/users/pbsds/home/profiles/shell.nix index b1d1bb2..88c7551 100644 --- a/users/pbsds/home/profiles/shell.nix +++ b/users/pbsds/home/profiles/shell.nix @@ -190,6 +190,7 @@ in home.shellAliases.kaomoji = "curl -s 'https://kaomoji.ru/en/' | htmlq tr td span --text | grep . | shuf | head -n1"; + # home.shellAliases.swgl = "env LIBGL_ALWAYS_SOFTWARE=true GALLIUM_DRIVER=softpipe __GLX_VENDOR_LIBRARY_NAME=mesa "; home.shellAliases.swgl = "env LIBGL_ALWAYS_SOFTWARE=true GALLIUM_DRIVER=llvmpipe __GLX_VENDOR_LIBRARY_NAME=mesa "; home.packages = lib.filter (x: x != null) (with pkgs; [