Migrate to Snowfall (#1)

Reviewed-on: #1 Co-authored-by: Evan Reichard <evan@reichard.io> Co-committed-by: Evan Reichard <evan@reichard.io>
2025-04-21 00:56:53 +00:00
parent 72ba8ddf59
commit cf0fa75058
118 changed files with 3590 additions and 1571 deletions
--- a/systems/aarch64-linux/lin-va-mbp-personal/default.nix
+++ b/systems/aarch64-linux/lin-va-mbp-personal/default.nix
@@ -0,0 +1,60 @@
+{ namespace, lib, ... }:
+let
+  inherit (lib.${namespace}) enabled;
+in
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  system.stateVersion = "24.11";
+  time.timeZone = "America/New_York";
+
+  # System Config
+  reichard = {
+    nix = enabled;
+
+    system = {
+      boot = {
+        enable = true;
+        showNotch = true;
+        silentBoot = true;
+      };
+      networking = {
+        enable = true;
+        enableIWD = true;
+      };
+    };
+
+    hardware = {
+      opengl = enabled;
+      asahi = {
+        enable = true;
+        enableGPU = true;
+        firmwareDirectory = ./firmware;
+      };
+    };
+
+    services = {
+      avahi = enabled;
+      ydotool = enabled;
+    };
+
+    security = {
+      sops = {
+        enable = true;
+        defaultSopsFile = lib.snowfall.fs.get-file "secrets/lin-va-mbp-personal/default.yaml";
+      };
+    };
+
+    virtualisation = {
+      podman = enabled;
+    };
+
+    programs = {
+      graphical = {
+        wms.hyprland = enabled;
+      };
+    };
+  };
+}
--- a/systems/aarch64-linux/lin-va-mbp-personal/firmware/all_firmware.tar.gz
+++ b/systems/aarch64-linux/lin-va-mbp-personal/firmware/all_firmware.tar.gz
--- a/systems/aarch64-linux/lin-va-mbp-personal/firmware/kernelcache.release.mac14j
+++ b/systems/aarch64-linux/lin-va-mbp-personal/firmware/kernelcache.release.mac14j
--- a/systems/aarch64-linux/lin-va-mbp-personal/hardware-configuration.nix
+++ b/systems/aarch64-linux/lin-va-mbp-personal/hardware-configuration.nix
@@ -0,0 +1,37 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "usb_storage" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/6dce11fa-5075-44d4-b502-14d0a1b36e7f";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/2254-0F1E";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}
--- a/systems/x86_64-linux/lin-va-nix-builder/default.nix
+++ b/systems/x86_64-linux/lin-va-nix-builder/default.nix
@@ -0,0 +1,65 @@
+{ namespace, config, pkgs, ... }:
+let
+  cfg = config.${namespace}.user;
+in
+{
+  time.timeZone = "America/New_York";
+  system.stateVersion = "24.11";
+
+  reichard = {
+    system = {
+      boot = {
+        enable = true;
+        xenGuest = true;
+      };
+      disk = {
+        enable = true;
+        diskPath = "/dev/xvda";
+      };
+      networking = {
+        enable = true;
+        useStatic = {
+          interface = "enX0";
+          address = "10.0.50.130";
+          defaultGateway = "10.0.50.254";
+          nameservers = [ "10.0.50.254" ];
+        };
+      };
+    };
+
+    services = {
+      openssh = {
+        enable = true;
+        authorizedKeys = [
+          # evanreichard@lin-va-mbp-personal
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJJoyXQOv9cAjGUHrUcvsW7vY9W0PmuPMQSI9AMZvNY"
+          # evanreichard@lin-va-thinkpad
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAq5JQr/6WJMIHhR434nK95FrDmf2ApW2Ahd2+cBKwDz"
+          # NixOS Builder
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDF8QjeN8lpT+Mc70zwEJQqN9W/GKvTOTd32VgfNhVdN"
+        ];
+      };
+    };
+  };
+
+  users.users.${cfg.name} = {
+    openssh = {
+      authorizedKeys.keys = [
+        # evanreichard@lin-va-mbp-personal
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJJoyXQOv9cAjGUHrUcvsW7vY9W0PmuPMQSI9AMZvNY"
+        # evanreichard@lin-va-thinkpad
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAq5JQr/6WJMIHhR434nK95FrDmf2ApW2Ahd2+cBKwDz"
+        # NixOS Builder
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDF8QjeN8lpT+Mc70zwEJQqN9W/GKvTOTd32VgfNhVdN"
+      ];
+    };
+  };
+
+  # System Packages
+  environment.systemPackages = with pkgs; [
+    btop
+    git
+    tmux
+    vim
+  ];
+}
--- a/systems/x86_64-linux/lin-va-office/default.nix
+++ b/systems/x86_64-linux/lin-va-office/default.nix
@@ -0,0 +1,175 @@
+{ config, pkgs, ... }:
+
+let
+  cuda-llama = (pkgs.llama-cpp.override {
+    cudaSupport = true;
+  }).overrideAttrs (oldAttrs: {
+    cmakeFlags = oldAttrs.cmakeFlags ++ [
+      "-DGGML_CUDA_ENABLE_UNIFIED_MEMORY=1"
+
+      # Disable CPU Instructions - Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz
+      "-DLLAMA_FMA=OFF"
+      "-DLLAMA_AVX2=OFF"
+      "-DLLAMA_AVX512=OFF"
+      "-DGGML_FMA=OFF"
+      "-DGGML_AVX2=OFF"
+      "-DGGML_AVX512=OFF"
+    ];
+  });
+
+  # Define Model Vars
+  modelDir = "/models";
+
+  # 7B
+  # modelName = "qwen2.5-coder-7b-q8_0.gguf";
+  # modelUrl = "https://huggingface.co/ggml-org/Qwen2.5-Coder-7B-Q8_0-GGUF/resolve/main/${modelName}?download=true";
+
+  # 3B
+  modelName = "qwen2.5-coder-3b-q8_0.gguf";
+  modelUrl = "https://huggingface.co/ggml-org/Qwen2.5-Coder-3B-Q8_0-GGUF/resolve/main/${modelName}?download=true";
+
+  modelPath = "${modelDir}/${modelName}";
+in
+
+{
+  # Allow Nvidia & CUDA
+  nixpkgs.config.allowUnfree = true;
+
+  # Enable Graphics
+  hardware.graphics = {
+    enable = true;
+    enable32Bit = true;
+    extraPackages = [ pkgs.cudatoolkit ];
+  };
+
+  # Load Nvidia Driver Module
+  services.xserver.videoDrivers = [ "nvidia" ];
+
+  # Nvidia Package Configuration
+  hardware.nvidia = {
+    package = config.boot.kernelPackages.nvidiaPackages.stable;
+    modesetting.enable = true;
+    powerManagement.enable = true;
+    open = false;
+    nvidiaSettings = true;
+  };
+
+  # Networking Configuration
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [
+      1234 # RTL-TCP
+      8080 # LLama API
+    ];
+  };
+
+  # RTL-SDR
+  hardware.rtl-sdr.enable = true;
+
+  systemd.services = {
+    # LLama Download Model
+    download-model = {
+      description = "Download Model";
+      wantedBy = [ "multi-user.target" ];
+      before = [ "llama-cpp.service" ];
+      path = [ pkgs.curl pkgs.coreutils ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+        User = "root";
+        Group = "root";
+      };
+      script = ''
+        set -euo pipefail
+
+        if [ ! -f "${modelPath}" ]; then
+          mkdir -p "${modelDir}"
+          # Add -f flag to follow redirects and -L for location
+          # Add --fail flag to exit with error on HTTP errors
+          # Add -C - to resume interrupted downloads
+          curl -f -L -C - \
+            -H "Accept: application/octet-stream" \
+            --retry 3 \
+            --retry-delay 5 \
+            --max-time 1800 \
+            "${modelUrl}" \
+            -o "${modelPath}.tmp" && \
+          mv "${modelPath}.tmp" "${modelPath}"
+        fi
+      '';
+    };
+
+    # RTL-SDR TCP Server Service
+    rtl-tcp = {
+      description = "RTL-SDR TCP Server";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        ExecStart = "${pkgs.rtl-sdr}/bin/rtl_tcp -a 0.0.0.0 -f 1090000000 -s 2400000";
+        Restart = "on-failure";
+        RestartSec = "10s";
+        User = "root";
+        Group = "root";
+      };
+    };
+  };
+
+  # Setup LLama API Service
+  systemd.services.llama-cpp = {
+    after = [ "download-model.service" ];
+    requires = [ "download-model.service" ];
+  };
+
+  # Enable LLama API
+  services.llama-cpp = {
+    enable = true;
+    host = "0.0.0.0";
+    package = cuda-llama;
+    model = modelPath;
+    port = 8080;
+    openFirewall = true;
+
+    # 7B
+    # extraFlags = [
+    #   "-ngl"
+    #   "99"
+    #   "-fa"
+    #   "-ub"
+    #   "512"
+    #   "-b"
+    #   "512"
+    #   "-dt"
+    #   "0.1"
+    #   "--ctx-size"
+    #   "4096"
+    #   "--cache-reuse"
+    #   "256"
+    # ];
+
+    # 3B
+    extraFlags = [
+      "-ngl"
+      "99"
+      "-fa"
+      "-ub"
+      "1024"
+      "-b"
+      "1024"
+      "--ctx-size"
+      "0"
+      "--cache-reuse"
+      "256"
+    ];
+  };
+
+  # System Packages
+  environment.systemPackages = with pkgs; [
+    htop
+    nvtopPackages.full
+    rtl-sdr
+    tmux
+    vim
+    wget
+  ];
+}
--- a/systems/x86_64-linux/lin-va-thinkpad/default.nix
+++ b/systems/x86_64-linux/lin-va-thinkpad/default.nix
@@ -0,0 +1,55 @@
+{ namespace, lib, ... }:
+let
+  inherit (lib.${namespace}) enabled;
+in
+{
+  system.stateVersion = "24.11";
+  time.timeZone = "America/New_York";
+  hardware.enableRedistributableFirmware = true;
+
+  # System Config
+  reichard = {
+    nix = enabled;
+
+    system = {
+      boot = {
+        enable = true;
+        silentBoot = true;
+      };
+      disk = {
+        enable = true;
+        diskPath = "/dev/nvme0n1";
+      };
+      networking = {
+        enable = true;
+        enableIWD = true;
+      };
+    };
+
+    hardware = {
+      opengl = enabled;
+    };
+
+    services = {
+      avahi = enabled;
+      ydotool = enabled;
+    };
+
+    virtualisation = {
+      podman = enabled;
+    };
+
+    programs = {
+      graphical = {
+        wms.hyprland = enabled;
+      };
+    };
+
+    security = {
+      sops = {
+        enable = true;
+        defaultSopsFile = lib.snowfall.fs.get-file "secrets/lin-va-thinkpad/default.yaml";
+      };
+    };
+  };
+}
--- a/systems/x86_64-linux/lin-va-utility/default.nix
+++ b/systems/x86_64-linux/lin-va-utility/default.nix
@@ -0,0 +1,43 @@
+{ namespace, lib, ... }:
+let
+  inherit (lib.${namespace}) enabled;
+in
+{
+  system.stateVersion = "24.11";
+  time.timeZone = "America/New_York";
+
+  reichard = {
+    nix = enabled;
+
+    system = {
+      boot = {
+        enable = true;
+        silentBoot = true;
+      };
+      networking = enabled;
+    };
+
+    hardware = {
+      opengl = {
+        enable = true;
+        enable32Bit = true; # Necessary?
+        enableIntel = true;
+      };
+    };
+
+    services = {
+      avahi = enabled;
+      ydotool = enabled;
+    };
+
+    virtualisation = {
+      podman = enabled;
+    };
+
+    programs = {
+      graphical = {
+        wms.hyprland = enabled;
+      };
+    };
+  };
+}
--- a/systems/x86_64-qcow/lin-va-rke2/default.nix
+++ b/systems/x86_64-qcow/lin-va-rke2/default.nix
@@ -0,0 +1,52 @@
+{ namespace, lib, modulesPath, ... }:
+let
+  inherit (lib.${namespace}) enabled;
+in
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  config = {
+    # Basic System
+    system.stateVersion = "24.11";
+    time.timeZone = "UTC";
+
+    reichard = {
+      nix = enabled;
+
+      system = {
+        boot = {
+          enable = true;
+          xenGuest = true;
+        };
+        networking = {
+          enable = true;
+          useDHCP = false;
+          useNetworkd = true;
+        };
+      };
+
+      services = {
+        avahi = enabled;
+        openssh = enabled;
+        cloud-init = enabled;
+        rke2 = {
+          enable = true;
+          disable = [ "rke2-ingress-nginx" ];
+        };
+        openiscsi = {
+          enable = true;
+          symlink = true;
+        };
+      };
+
+      hardware = {
+        opengl = {
+          enable = true;
+          enableIntel = true;
+        };
+      };
+    };
+  };
+}