From 2e41b733068bc5b979fa5eb4b8146f82cb5269eb Mon Sep 17 00:00:00 2001 From: kirbara Date: Fri, 5 Dec 2025 18:44:17 +0700 Subject: [PATCH] commit --- module/aspect/base/security.nix | 1 + module/aspect/clamav.nix | 64 +++++++++++++++++++ module/aspect/eyay/llama-cpp.nix | 14 ++++ puter/000-bm-nixos-kirakira/kirakira.nix | 2 + .../specific-aspect/llama-cpp-rocm.nix | 56 ++++++++++++++++ puter/030-vm-nixos-neru/neru.nix | 6 +- 6 files changed, 141 insertions(+), 2 deletions(-) create mode 100644 module/aspect/clamav.nix create mode 100644 module/aspect/eyay/llama-cpp.nix create mode 100644 puter/000-bm-nixos-kirakira/specific-aspect/llama-cpp-rocm.nix diff --git a/module/aspect/base/security.nix b/module/aspect/base/security.nix index 5a34a92..a8d626c 100644 --- a/module/aspect/base/security.nix +++ b/module/aspect/base/security.nix @@ -8,6 +8,7 @@ sudo-rs.enable = true; sudo-rs.wheelNeedsPassword = false; }; + systemd.coredump.enable = false; }; }; }; diff --git a/module/aspect/clamav.nix b/module/aspect/clamav.nix new file mode 100644 index 0000000..7a15ff5 --- /dev/null +++ b/module/aspect/clamav.nix @@ -0,0 +1,64 @@ +{ + den.aspects = { + clamav = { + nixos = + { pkgs, ... }: + { + environment.systemPackages = [ + pkgs.clamav + ]; + services.clamav = { + daemon = { + enable = true; + settings = { + # logging & performance + LogFile = "/var/log/clamav/clamd.log"; + LogTime = true; + LogVerbose = false; + ExtendedDetectionInfo = true; + PidFile = "/run/clamav/clamd.pid"; + TemporaryDirectory = "/tmp"; + LocalSocket = "/run/clamav/clamd.ctl"; + # scanning limits + MaxScanSize = "100M"; + MaxFileSize = "100M"; + MaxRecursion = 16; + MaxFiles = 10000; + StreamMaxLength = "25M"; + # heuristics & security + HeuristicAlerts = true; + StructuredDataDetection = false; + ScanPE = true; + ScanELF = true; + ScanOLE2 = true; + ScanPDF = true; + ScanHTML = true; + ScanArchive = true; + # anti phishing + AlertPhishingSSLMismatch = true; + AlertPhishingCloak = true; + DetectPUA = true; + # bytecode + Bytecode = true; + BytecodeSecurity = "Paranoid"; + BytecodeTimeout = 60000; + # real-time protection + # ScanOnAccess = true; + # OnAccessPrevention = true; + # OnAccessExtraScanning = true; + # OnAccessExcludeUname = "clamav"; # prevent loop + # OnAccessIncludePath = [ + # "/home" + # "/tmp" + # ]; + }; + }; + updater = { + enable = true; + interval = "daily"; + }; + }; + }; + }; + }; +} \ No newline at end of file diff --git a/module/aspect/eyay/llama-cpp.nix b/module/aspect/eyay/llama-cpp.nix new file mode 100644 index 0000000..21e2617 --- /dev/null +++ b/module/aspect/eyay/llama-cpp.nix @@ -0,0 +1,14 @@ +{ + den.aspects = { + llama-cpp = { + nixos = + { pkgs, ... }: + { + environment.systemPackages = [ + pkgs.llama-cpp + pkgs.llama-swap + ]; + }; + }; + }; +} \ No newline at end of file diff --git a/puter/000-bm-nixos-kirakira/kirakira.nix b/puter/000-bm-nixos-kirakira/kirakira.nix index 5f4c496..3ebec34 100644 --- a/puter/000-bm-nixos-kirakira/kirakira.nix +++ b/puter/000-bm-nixos-kirakira/kirakira.nix @@ -154,6 +154,8 @@ in ark-archiver.homeManager yazi.homeManager # ----- + clamav.nixos + # ----- obsidian.homeManager shotcut.homeManager blender-hip-latest.homeManager diff --git a/puter/000-bm-nixos-kirakira/specific-aspect/llama-cpp-rocm.nix b/puter/000-bm-nixos-kirakira/specific-aspect/llama-cpp-rocm.nix new file mode 100644 index 0000000..68eedcc --- /dev/null +++ b/puter/000-bm-nixos-kirakira/specific-aspect/llama-cpp-rocm.nix @@ -0,0 +1,56 @@ +{ + den.aspects = { + kirakira = { + nixos = + { pkgs, ... }: + { + # ----- overrides + nixpkgs.config = { + packageOverrides = pkgs: { + llama-cpp = + (pkgs.llama-cpp.override { + rocmSupport = true; + rocmGpuTargets = [ "gfx1031" ]; + blasSupport = true; + cudaSupport = false; + metalSupport = false; + }).overrideAttrs + (oldAttrs: rec { + version = "7205"; + src = pkgs.fetchFromGitHub { + owner = "ggml-org"; + repo = "llama.cpp"; + tag = "b${version}"; + hash = "sha256-1CcYbc8RWAPVz8hoxKEmbAgQesC1oGFZ3fhfuU5vmOc="; + leaveDotGit = true; + postFetch = '' + git -C "$out" rev-parse --short HEAD > $out/COMMIT + find "$out" -name .git -print0 | xargs -0 rm -rf + ''; + }; + cmakeFlags = (oldAttrs.cmakeFlags or []) ++ [ + "-DGGML_NATIVE=ON" + ]; + preConfigure = '' + export NIX_ENFORCE_NO_NATIVE=0 + ${oldAttrs.preConfigure or ""} + ''; + }); + + # llama-swap from GitHub releases + llama-swap = pkgs.runCommand "llama-swap" { } '' + mkdir -p $out/bin + tar -xzf ${ + pkgs.fetchurl { + url = "https://github.com/mostlygeek/llama-swap/releases/download/v175/llama-swap_175_linux_amd64.tar.gz"; + hash = "sha256-zeyVz0ldMxV4HKK+u5TtAozfRI6IJmeBo92IJTgkGrQ="; + } + } -C $out/bin + chmod +x $out/bin/llama-swap + ''; + }; + }; + }; + }; + }; +} \ No newline at end of file diff --git a/puter/030-vm-nixos-neru/neru.nix b/puter/030-vm-nixos-neru/neru.nix index b3f0e26..2f4c5bc 100644 --- a/puter/030-vm-nixos-neru/neru.nix +++ b/puter/030-vm-nixos-neru/neru.nix @@ -75,11 +75,13 @@ in # ------------------------------------------------- base.nixos software-tty.nixos - # ---------------- + # ----- root.nixos ssh-server.nixos - # ---------------- + # ----- sops.nixos + # ----- + clamav.nixos ] ++ [ # ---- nixos home-manager inputs.home-manager.nixosModules.home-manager { home-manager.extraSpecialArgs = { inherit inputs; }; # fix infinite recursion