commit

2025-12-05 18:44:17 +07:00 · 2025-12-05 18:44:17 +07:00 · 2e41b73306
commit 2e41b73306
parent 31560f486a
6 changed files with 141 additions and 2 deletions
--- a/module/aspect/base/security.nix
+++ b/module/aspect/base/security.nix
@ -8,6 +8,7 @@
            sudo-rs.enable = true;
            sudo-rs.wheelNeedsPassword = false;
          };
          systemd.coredump.enable = false;
        };
      };
    };
--- a/module/aspect/clamav.nix
+++ b/module/aspect/clamav.nix
@ -0,0 +1,64 @@
 {
  den.aspects = {
    clamav = {
      nixos =
      { pkgs, ... }:
      {
        environment.systemPackages = [
          pkgs.clamav
        ];
        services.clamav = {
          daemon = {
            enable = true;
            settings = {
              # logging & performance
              LogFile = "/var/log/clamav/clamd.log";
              LogTime = true;
              LogVerbose = false;
              ExtendedDetectionInfo = true;
              PidFile = "/run/clamav/clamd.pid";
              TemporaryDirectory = "/tmp";
              LocalSocket = "/run/clamav/clamd.ctl";
              # scanning limits
              MaxScanSize = "100M";
              MaxFileSize = "100M";
              MaxRecursion = 16;
              MaxFiles = 10000;
              StreamMaxLength = "25M";
              # heuristics & security
              HeuristicAlerts = true;
              StructuredDataDetection = false;
              ScanPE = true;
              ScanELF = true;
              ScanOLE2 = true;
              ScanPDF = true;
              ScanHTML = true;
              ScanArchive = true;
              # anti phishing
              AlertPhishingSSLMismatch = true;
              AlertPhishingCloak = true;
              DetectPUA = true;
              # bytecode
              Bytecode = true;
              BytecodeSecurity = "Paranoid";
              BytecodeTimeout = 60000;
              # real-time protection
              # ScanOnAccess = true;
              # OnAccessPrevention = true;
              # OnAccessExtraScanning = true;
              # OnAccessExcludeUname = "clamav"; # prevent loop
              # OnAccessIncludePath = [
              #   "/home"
              #   "/tmp"
              # ];
            };
          };
          updater = {
            enable = true;
            interval = "daily";
          };
        };
      };
    };
  };
 }
--- a/module/aspect/eyay/llama-cpp.nix
+++ b/module/aspect/eyay/llama-cpp.nix
@ -0,0 +1,14 @@
 {
  den.aspects = {
    llama-cpp = {
      nixos = 
        { pkgs, ... }:
        {
          environment.systemPackages = [
            pkgs.llama-cpp
            pkgs.llama-swap
          ];
        };
      };
    };
 }
--- a/puter/000-bm-nixos-kirakira/kirakira.nix
+++ b/puter/000-bm-nixos-kirakira/kirakira.nix
@ -154,6 +154,8 @@ in
            ark-archiver.homeManager
            yazi.homeManager
            # -----
            clamav.nixos
            # -----
            obsidian.homeManager
            shotcut.homeManager
            blender-hip-latest.homeManager
--- a/puter/000-bm-nixos-kirakira/specific-aspect/llama-cpp-rocm.nix
+++ b/puter/000-bm-nixos-kirakira/specific-aspect/llama-cpp-rocm.nix
@ -0,0 +1,56 @@
 {
  den.aspects = {
    kirakira = {
      nixos = 
        { pkgs, ... }:
        {
          # ----- overrides
          nixpkgs.config = {
            packageOverrides = pkgs: {
              llama-cpp =
                (pkgs.llama-cpp.override {
                  rocmSupport = true;
                  rocmGpuTargets = [ "gfx1031" ];
                  blasSupport = true;
                  cudaSupport = false;
                  metalSupport = false;
                }).overrideAttrs
                  (oldAttrs: rec {
                    version = "7205";
                    src = pkgs.fetchFromGitHub {
                      owner = "ggml-org";
                      repo = "llama.cpp";
                      tag = "b${version}";
                      hash = "sha256-1CcYbc8RWAPVz8hoxKEmbAgQesC1oGFZ3fhfuU5vmOc=";
                      leaveDotGit = true;
                      postFetch = ''
                        git -C "$out" rev-parse --short HEAD > $out/COMMIT
                        find "$out" -name .git -print0 | xargs -0 rm -rf
                      '';
                    };
                    cmakeFlags = (oldAttrs.cmakeFlags or []) ++ [
                      "-DGGML_NATIVE=ON"
                    ];
                    preConfigure = ''
                      export NIX_ENFORCE_NO_NATIVE=0
                      ${oldAttrs.preConfigure or ""}
                    '';
                  });
              # llama-swap from GitHub releases
              llama-swap = pkgs.runCommand "llama-swap" { } ''
                mkdir -p $out/bin
                tar -xzf ${
                  pkgs.fetchurl {
                    url = "https://github.com/mostlygeek/llama-swap/releases/download/v175/llama-swap_175_linux_amd64.tar.gz";
                    hash = "sha256-zeyVz0ldMxV4HKK+u5TtAozfRI6IJmeBo92IJTgkGrQ=";
                  }
                } -C $out/bin
                chmod +x $out/bin/llama-swap
              '';
            };
          };
        };
      };
    };
 }
--- a/puter/030-vm-nixos-neru/neru.nix
+++ b/puter/030-vm-nixos-neru/neru.nix
@ -75,11 +75,13 @@ in
          # -------------------------------------------------
          base.nixos
          software-tty.nixos
-          # ----------------
+          # -----
          root.nixos
          ssh-server.nixos
-          # ----------------
+          # -----
          sops.nixos
          # -----
          clamav.nixos
        ] ++ [ # ---- nixos home-manager
        inputs.home-manager.nixosModules.home-manager {
        home-manager.extraSpecialArgs = { inherit inputs; }; # fix infinite recursion