exp/infra
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

commit

Browse source
This commit is contained in:
kirbara 2025-12-05 18:44:17 +07:00
parent 31560f486a
commit 2e41b73306
Signed by: exp
GPG key ID: D7E63AD0019E75D9
6 changed files with 141 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

1
module/aspect/base/security.nix
View file

@ -8,6 +8,7 @@
sudo-rs.enable = true;
sudo-rs.wheelNeedsPassword = false;
};
systemd.coredump.enable = false;
};
};
};

64
module/aspect/clamav.nix Normal file
View file

@ -0,0 +1,64 @@
{
den.aspects = {
clamav = {
nixos =
{ pkgs, ... }:
{
environment.systemPackages = [
pkgs.clamav
];
services.clamav = {
daemon = {
enable = true;
settings = {
# logging & performance
LogFile = "/var/log/clamav/clamd.log";
LogTime = true;
LogVerbose = false;
ExtendedDetectionInfo = true;
PidFile = "/run/clamav/clamd.pid";
TemporaryDirectory = "/tmp";
LocalSocket = "/run/clamav/clamd.ctl";
# scanning limits
MaxScanSize = "100M";
MaxFileSize = "100M";
MaxRecursion = 16;
MaxFiles = 10000;
StreamMaxLength = "25M";
# heuristics & security
HeuristicAlerts = true;
StructuredDataDetection = false;
ScanPE = true;
ScanELF = true;
ScanOLE2 = true;
ScanPDF = true;
ScanHTML = true;
ScanArchive = true;
# anti phishing
AlertPhishingSSLMismatch = true;
AlertPhishingCloak = true;
DetectPUA = true;
# bytecode
Bytecode = true;
BytecodeSecurity = "Paranoid";
BytecodeTimeout = 60000;
# real-time protection
# ScanOnAccess = true;
# OnAccessPrevention = true;
# OnAccessExtraScanning = true;
# OnAccessExcludeUname = "clamav"; # prevent loop
# OnAccessIncludePath = [
# "/home"
# "/tmp"
# ];
};
};
updater = {
enable = true;
interval = "daily";
};
};
};
};
};
}

14
module/aspect/eyay/llama-cpp.nix Normal file
View file

@ -0,0 +1,14 @@
{
den.aspects = {
llama-cpp = {
nixos =
{ pkgs, ... }:
{
environment.systemPackages = [
pkgs.llama-cpp
pkgs.llama-swap
];
};
};
};
}

2
puter/000-bm-nixos-kirakira/kirakira.nix
View file

@ -154,6 +154,8 @@ in
ark-archiver.homeManager
yazi.homeManager
# -----
clamav.nixos
# -----
obsidian.homeManager
shotcut.homeManager
blender-hip-latest.homeManager

56
puter/000-bm-nixos-kirakira/specific-aspect/llama-cpp-rocm.nix Normal file
View file

@ -0,0 +1,56 @@
{
den.aspects = {
kirakira = {
nixos =
{ pkgs, ... }:
{
# ----- overrides
nixpkgs.config = {
packageOverrides = pkgs: {
llama-cpp =
(pkgs.llama-cpp.override {
rocmSupport = true;
rocmGpuTargets = [ "gfx1031" ];
blasSupport = true;
cudaSupport = false;
metalSupport = false;
}).overrideAttrs
(oldAttrs: rec {
version = "7205";
src = pkgs.fetchFromGitHub {
owner = "ggml-org";
repo = "llama.cpp";
tag = "b${version}";
hash = "sha256-1CcYbc8RWAPVz8hoxKEmbAgQesC1oGFZ3fhfuU5vmOc=";
leaveDotGit = true;
postFetch = ''
git -C "$out" rev-parse --short HEAD > $out/COMMIT
find "$out" -name .git -print0 | xargs -0 rm -rf
'';
};
cmakeFlags = (oldAttrs.cmakeFlags or []) ++ [
"-DGGML_NATIVE=ON"
];
preConfigure = ''
export NIX_ENFORCE_NO_NATIVE=0
${oldAttrs.preConfigure or ""}
'';
});
# llama-swap from GitHub releases
llama-swap = pkgs.runCommand "llama-swap" { } ''
mkdir -p $out/bin
tar -xzf ${
pkgs.fetchurl {
url = "https://github.com/mostlygeek/llama-swap/releases/download/v175/llama-swap_175_linux_amd64.tar.gz";
hash = "sha256-zeyVz0ldMxV4HKK+u5TtAozfRI6IJmeBo92IJTgkGrQ=";
}
} -C $out/bin
chmod +x $out/bin/llama-swap
'';
};
};
};
};
};
}

6
puter/030-vm-nixos-neru/neru.nix
View file

@ -75,11 +75,13 @@ in
# -------------------------------------------------
base.nixos
software-tty.nixos
# ----------------
# -----
root.nixos
ssh-server.nixos
# ----------------
# -----
sops.nixos
# -----
clamav.nixos
] ++ [ # ---- nixos home-manager
inputs.home-manager.nixosModules.home-manager {
home-manager.extraSpecialArgs = { inherit inputs; }; # fix infinite recursion