diff --git a/flake-modules/config.nix b/flake-modules/config.nix index 179819e..9d068c4 100644 --- a/flake-modules/config.nix +++ b/flake-modules/config.nix @@ -6,11 +6,13 @@ system, lib', ... -}: let +}: +let specialArgs = { inherit inputs self lib'; }; -in { +in +{ flake = { systemConfigs.default = inputs.system-manager.lib.makeSystemConfig { extraSpecialArgs = specialArgs; @@ -27,13 +29,14 @@ in { inherit system pkgs specialArgs; modules = [ ../modules - ({modulesPath, ...}: { - # use virtual machine profile, otherwise file systems need to be defined - imports = [ - "${modulesPath}/virtualisation/lxc-container.nix" - ]; - system.stateVersion = "23.11"; - }) + ( + { modulesPath, ... }: + { + # use virtual machine profile, otherwise file systems need to be defined + imports = [ "${modulesPath}/virtualisation/lxc-container.nix" ]; + system.stateVersion = "23.11"; + } + ) ]; }; }; diff --git a/flake-modules/default.nix b/flake-modules/default.nix index 4c26216..4bfe2aa 100644 --- a/flake-modules/default.nix +++ b/flake-modules/default.nix @@ -3,7 +3,8 @@ lib, lib', ... -}: let +}: +let system = "x86_64-linux"; pkgs = import inputs.nixpkgs { inherit system; @@ -13,24 +14,25 @@ }; overlays = lib.singleton ( final: prev: { - apptainer = prev.apptainer.override { - enableNvidiaContainerCli = false; - }; + apptainer = prev.apptainer.override { enableNvidiaContainerCli = false; }; system-manager = inputs.system-manager.packages.${system}.default; } ); }; -in { +in +{ imports = lib'.flocken.getModules ./.; systems = lib.singleton system; _module.args = { inherit system pkgs; }; - perSystem = {config, ...}: { - _module.args = { - inherit pkgs; + perSystem = + { config, ... }: + { + _module.args = { + inherit pkgs; + }; + packages.default = config.packages.install; + checks = config.packages; }; - packages.default = config.packages.install; - checks = config.packages; - }; } diff --git a/flake-modules/images.nix b/flake-modules/images.nix index 32e4f35..bab861e 100644 --- a/flake-modules/images.nix +++ b/flake-modules/images.nix @@ -1,17 +1,12 @@ -{...}: { - perSystem = { - config, - pkgs, - ... - }: { - packages = { - image-base = pkgs.callPackage ../images/base.nix {}; - image-jupyter = pkgs.callPackage ../images/jupyter.nix { - base = config.packages.image-base; - }; - image-poetry = pkgs.callPackage ../images/poetry.nix { - base = config.packages.image-base; +{ ... }: +{ + perSystem = + { config, pkgs, ... }: + { + packages = { + image-base = pkgs.callPackage ../images/base.nix { }; + image-jupyter = pkgs.callPackage ../images/jupyter.nix { base = config.packages.image-base; }; + image-poetry = pkgs.callPackage ../images/poetry.nix { base = config.packages.image-base; }; }; }; - }; } diff --git a/flake-modules/scripts.nix b/flake-modules/scripts.nix index ddd6ce3..00150b5 100644 --- a/flake-modules/scripts.nix +++ b/flake-modules/scripts.nix @@ -1,52 +1,48 @@ +{ lib, self, ... }: { - lib, - self, - ... -}: { - perSystem = { - pkgs, - config, - ... - }: let - manager = lib.getExe' pkgs.system-manager "system-manager"; - in { - packages = { - manager = pkgs.system-manager; - install = pkgs.writeShellApplication { - name = "system-manager-rebuild"; - text = '' - set -x #echo on - exec ${manager} "''${1:-switch}" --flake ${self} "''${@:2}" - ''; - }; - uninstall = pkgs.writeShellApplication { - name = "system-manager-uninstall"; - text = '' - set -x #echo on - exec ${manager} deactivate "''$@" - ''; - }; - setup = pkgs.writeShellApplication { - name = "system-manager-setup"; - text = '' - # only root possible - if [ "$(id -u)" -ne 0 ]; then - echo "This script must be run as root" >&2 - exit 1 - fi - set -x #echo on - # set up nix - cp -f ${../etc/nix.conf} /etc/nix/nix.conf - systemctl restart nix-daemon - # set up cuda support for oci engines like podman - nvidia-ctk cdi generate --output=/etc/cdi/nvidia.yaml - chmod -R 755 /etc/cdi - # set compute mode to exclusive process (https://stackoverflow.com/a/50056586) - nvidia-smi -c 3 - # disable default motd - chmod -x /etc/update-motd.d/* - ''; + perSystem = + { pkgs, config, ... }: + let + manager = lib.getExe' pkgs.system-manager "system-manager"; + in + { + packages = { + manager = pkgs.system-manager; + install = pkgs.writeShellApplication { + name = "system-manager-rebuild"; + text = '' + set -x #echo on + exec ${manager} "''${1:-switch}" --flake ${self} "''${@:2}" + ''; + }; + uninstall = pkgs.writeShellApplication { + name = "system-manager-uninstall"; + text = '' + set -x #echo on + exec ${manager} deactivate "''$@" + ''; + }; + setup = pkgs.writeShellApplication { + name = "system-manager-setup"; + text = '' + # only root possible + if [ "$(id -u)" -ne 0 ]; then + echo "This script must be run as root" >&2 + exit 1 + fi + set -x #echo on + # set up nix + cp -f ${../etc/nix.conf} /etc/nix/nix.conf + systemctl restart nix-daemon + # set up cuda support for oci engines like podman + nvidia-ctk cdi generate --output=/etc/cdi/nvidia.yaml + chmod -R 755 /etc/cdi + # set compute mode to exclusive process (https://stackoverflow.com/a/50056586) + nvidia-smi -c 3 + # disable default motd + chmod -x /etc/update-motd.d/* + ''; + }; }; }; - }; } diff --git a/flake.nix b/flake.nix index 99b87c0..ce85c5b 100644 --- a/flake.nix +++ b/flake.nix @@ -16,12 +16,13 @@ }; }; - outputs = inputs @ { - self, - nixpkgs, - flake-parts, - ... - }: + outputs = + inputs@{ + self, + nixpkgs, + flake-parts, + ... + }: flake-parts.lib.mkFlake { inherit inputs; specialArgs = { @@ -30,7 +31,5 @@ flocken = inputs.flocken.lib; }; }; - } { - imports = [./flake-modules]; - }; + } { imports = [ ./flake-modules ]; }; } diff --git a/images/base.nix b/images/base.nix index 517cc09..fce3d86 100644 --- a/images/base.nix +++ b/images/base.nix @@ -15,10 +15,10 @@ gcc, nix-ld, name ? "base", - contents ? [], - entrypoint ? ["/bin/sh"], - cmd ? [], - env ? {}, + contents ? [ ], + entrypoint ? [ "/bin/sh" ], + cmd ? [ ], + env ? { }, }: dockerTools.streamLayeredImage { inherit name; @@ -28,7 +28,8 @@ dockerTools.streamLayeredImage { # https://unix.stackexchange.com/a/415028 # the existing LD_LIBRARY_PATH is only appended if it is not empty exportLibraryPath = ''export LD_LIBRARY_PATH="''${NIX_LD_LIBRARY_PATH}''${LD_LIBRARY_PATH:+:''${LD_LIBRARY_PATH}}"''; - wrapLibraryPath = pkg: + wrapLibraryPath = + pkg: writeShellScriptBin (lib.getName pkg) '' ${exportLibraryPath} exec ${lib.getExe pkg} "$@" @@ -50,7 +51,7 @@ dockerTools.streamLayeredImage { (lib.getBin gcc) # https://github.com/Mic92/nix-ld/wiki/Using-with-docker-images # https://github.com/Mic92/nix-ld/issues/60 - (runCommand "nix-ld" {} '' + (runCommand "nix-ld" { } '' install -D -m755 ${nix-ld}/libexec/nix-ld $out/lib64/$(basename ${stdenv.cc.bintools.dynamicLinker}) '') ] @@ -64,7 +65,10 @@ dockerTools.streamLayeredImage { inherit entrypoint cmd; env = lib.mapAttrsToList (k: v: "${k}=${v}") ( { - NIX_LD_LIBRARY_PATH = lib.makeLibraryPath [stdenv.cc.cc zlib]; + NIX_LD_LIBRARY_PATH = lib.makeLibraryPath [ + stdenv.cc.cc + zlib + ]; NIX_LD = stdenv.cc.bintools.dynamicLinker; SHELL = "/bin/sh"; PIP_DISABLE_PIP_VERSION_CHECK = "1"; diff --git a/images/jupyter.nix b/images/jupyter.nix index ebc60c8..ead0761 100644 --- a/images/jupyter.nix +++ b/images/jupyter.nix @@ -3,7 +3,8 @@ writeShellScriptBin, python3, base, -}: let +}: +let venvPath = "./.venv"; venvSetup = writeShellScriptBin "venv" '' @@ -26,30 +27,32 @@ fi ''; - jupyterArgs = lib.cli.toGNUCommandLineShell {} { + jupyterArgs = lib.cli.toGNUCommandLineShell { } { ip = "0.0.0.0"; allow-root = true; no-browser = true; "ServerApp.terminado_settings" = ''shell_command=["/bin/sh"]''; }; - entrypoint = base.passthru.wrapLibraryPath (writeShellScriptBin "entrypoint" '' - ${lib.getExe venvSetup} - exec ${venvPath}/bin/jupyter lab ${jupyterArgs} "$@" - ''); + entrypoint = base.passthru.wrapLibraryPath ( + writeShellScriptBin "entrypoint" '' + ${lib.getExe venvSetup} + exec ${venvPath}/bin/jupyter lab ${jupyterArgs} "$@" + '' + ); in - base.override { - entrypoint = [(lib.getExe entrypoint)]; - env = { - VIRTUAL_ENV = venvPath; - PATH = lib.concatStringsSep ":" [ - "${venvPath}/bin" - "/usr/local/sbin" - "/usr/local/bin" - "/usr/sbin" - "/usr/bin" - "/sbin" - "/bin" - ]; - }; - } +base.override { + entrypoint = [ (lib.getExe entrypoint) ]; + env = { + VIRTUAL_ENV = venvPath; + PATH = lib.concatStringsSep ":" [ + "${venvPath}/bin" + "/usr/local/sbin" + "/usr/local/bin" + "/usr/sbin" + "/usr/bin" + "/sbin" + "/bin" + ]; + }; +} diff --git a/images/poetry.nix b/images/poetry.nix index 3b7a384..263348c 100644 --- a/images/poetry.nix +++ b/images/poetry.nix @@ -2,16 +2,15 @@ lib, poetry, base, -}: let +}: +let poetryWrapper = base.passthru.wrapLibraryPath poetry; in - base.override { - name = "poetry"; - contents = [ - poetryWrapper - ]; - entrypoint = [(lib.getExe poetryWrapper)]; - env = { - POETRY_VIRTUALENVS_IN_PROJECT = "1"; - }; - } +base.override { + name = "poetry"; + contents = [ poetryWrapper ]; + entrypoint = [ (lib.getExe poetryWrapper) ]; + env = { + POETRY_VIRTUALENVS_IN_PROJECT = "1"; + }; +} diff --git a/modules/apptainer.nix b/modules/apptainer.nix index 5966054..78f587e 100644 --- a/modules/apptainer.nix +++ b/modules/apptainer.nix @@ -4,7 +4,8 @@ lib, inputs, ... -}: let +}: +let apptainer = pkgs.writeShellApplication { name = "apptainer"; text = '' @@ -16,7 +17,8 @@ exec ${lib.getExe pkgs.apptainer} "$@" ''; }; -in { +in +{ environment = { systemPackages = [ apptainer diff --git a/modules/default.nix b/modules/default.nix index cef726d..d698a90 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -3,9 +3,11 @@ pkgs, inputs, ... -}: let +}: +let nixglhost = inputs.nixglhost.defaultPackage.${pkgs.system}; -in { +in +{ imports = lib'.flocken.getModules ./.; environment = { systemPackages = with pkgs; [ diff --git a/modules/findgpu.nix b/modules/findgpu.nix index 891d0ce..826fefd 100644 --- a/modules/findgpu.nix +++ b/modules/findgpu.nix @@ -1,11 +1,14 @@ -{pkgs, ...}: let - app = - pkgs.writers.writePython3Bin "findgpu" { - flakeIgnore = ["E203" "E501"]; - } - (builtins.readFile ./findgpu.py); -in { +{ pkgs, ... }: +let + app = pkgs.writers.writePython3Bin "findgpu" { + flakeIgnore = [ + "E203" + "E501" + ]; + } (builtins.readFile ./findgpu.py); +in +{ environment = { - systemPackages = [app]; + systemPackages = [ app ]; }; } diff --git a/modules/images.nix b/modules/images.nix index c85370f..9c71046 100644 --- a/modules/images.nix +++ b/modules/images.nix @@ -3,7 +3,8 @@ pkgs, lib, ... -}: { +}: +{ environment.systemPackages = [ (pkgs.writeShellApplication { # https://github.com/NixOS/nixpkgs/blob/aa9d4729cbc99dabacb50e3994dcefb3ea0f7447/pkgs/build-support/docker/default.nix#L490 diff --git a/modules/podman.nix b/modules/podman.nix index a2126cb..6c23372 100644 --- a/modules/podman.nix +++ b/modules/podman.nix @@ -1,11 +1,8 @@ +{ pkgs, lib, ... }: { - pkgs, - lib, - ... -}: { virtualisation.containers = { enable = true; - registries.search = ["docker.io"]; + registries.search = [ "docker.io" ]; }; environment = { diff --git a/modules/registry.nix b/modules/registry.nix index d4ece12..856339b 100644 --- a/modules/registry.nix +++ b/modules/registry.nix @@ -3,32 +3,36 @@ pkgs, lib, ... -}: let - json = pkgs.formats.json {}; -in { - environment.etc."nix/registry.json".source = lib.mkForce (json.generate "registry.json" { - version = 2; - flakes = [ - { - from = { - type = "indirect"; - id = "nixpkgs"; - }; - to = { - type = "path"; - path = inputs.nixpkgs.outPath; - }; - } - { - from = { - type = "indirect"; - id = "pkgs"; - }; - to = { - type = "path"; - path = inputs.nixpkgs.outPath; - }; - } - ]; - }); +}: +let + json = pkgs.formats.json { }; +in +{ + environment.etc."nix/registry.json".source = lib.mkForce ( + json.generate "registry.json" { + version = 2; + flakes = [ + { + from = { + type = "indirect"; + id = "nixpkgs"; + }; + to = { + type = "path"; + path = inputs.nixpkgs.outPath; + }; + } + { + from = { + type = "indirect"; + id = "pkgs"; + }; + to = { + type = "path"; + path = inputs.nixpkgs.outPath; + }; + } + ]; + } + ); } diff --git a/modules/shell.nix b/modules/shell.nix index e123707..2a4fb03 100644 --- a/modules/shell.nix +++ b/modules/shell.nix @@ -1,24 +1,20 @@ # https://github.com/numtide/system-manager/blob/main/nix/modules/environment.nix # We use config.fish directly since conf.d is not sources by fish built with nix -{ - pkgs, - lib, - ... -}: let +{ pkgs, lib, ... }: +let envVars = { CUDA_VISIBLE_DEVICES = "100"; CUDA_DEVICE_ORDER = "PCI_BUS_ID"; }; -in { +in +{ environment.etc = { # Make sure that no user uses all GPUs accidentally # If device order is not set, nvidia-smi is not consistent with CUDA_VISIBLE_DEVICES "profile.d/posix-config.sh".text = lib.concatLines ( - lib.mapAttrsToList - (name: value: '' + lib.mapAttrsToList (name: value: '' export ${name}="${value}" - '') - envVars + '') envVars ); "fish/config.fish".source = pkgs.writeTextFile { name = "config.fish"; @@ -28,11 +24,9 @@ in { set -gx PATH "/run/system-manager/sw/bin" $PATH '' + lib.concatLines ( - lib.mapAttrsToList - (name: value: '' + lib.mapAttrsToList (name: value: '' set -gx ${name} "${value}" - '') - envVars + '') envVars ); }; }; diff --git a/modules/ssh.nix b/modules/ssh.nix index 19a45ec..8407fab 100644 --- a/modules/ssh.nix +++ b/modules/ssh.nix @@ -1,6 +1,8 @@ -{lib, ...}: let +{ lib, ... }: +let bannerFile = "sshd-banner.txt"; -in { +in +{ environment.etc = { "ssh/sshd_config.d/nixos.conf".text = '' PermitRootLogin no diff --git a/modules/sudo.nix b/modules/sudo.nix index 27939ca..497c375 100644 --- a/modules/sudo.nix +++ b/modules/sudo.nix @@ -1,4 +1,5 @@ -{lib, ...}: let +{ lib, ... }: +let securePaths = [ "/run/system-manager/sw/bin" "/usr/local/sbin" @@ -6,7 +7,8 @@ "/usr/sbin" "/usr/bin" ]; -in { +in +{ environment.etc."sudoers.d/nixos".text = '' Defaults secure_path="${lib.concatStringsSep ":" securePaths}" ''; diff --git a/modules/systemd.nix b/modules/systemd.nix index 9ba075d..36b7da4 100644 --- a/modules/systemd.nix +++ b/modules/systemd.nix @@ -1,8 +1,5 @@ +{ lib, pkgs, ... }: { - lib, - pkgs, - ... -}: { systemd.services = { update-system = { startAt = "*-*-* 04:00:00"; @@ -12,28 +9,30 @@ ''; serviceConfig.Type = "oneshot"; }; - link-cuda = let - source = "/usr/lib/x86_64-linux-gnu"; - target = "/run/opengl-driver/lib"; - in { - enable = true; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; + link-cuda = + let + source = "/usr/lib/x86_64-linux-gnu"; + target = "/run/opengl-driver/lib"; + in + { + enable = true; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + wantedBy = [ "system-manager.target" ]; + script = '' + # Remove old links + ${lib.getExe' pkgs.coreutils "rm"} -rf ${target} + ${lib.getExe' pkgs.coreutils "mkdir"} -p ${target} + # Link all .so files specified in Apptainer + ${lib.getExe pkgs.gnugrep} '\.so$' ${pkgs.apptainer}/etc/apptainer/nvliblist.conf | while read file + do + ${lib.getExe' pkgs.coreutils "ln"} -s ${source}/$file.* ${target} + done + # Remove broken links + ${lib.getExe pkgs.findutils} -L ${target} -maxdepth 1 -type l -delete + ''; }; - wantedBy = ["system-manager.target"]; - script = '' - # Remove old links - ${lib.getExe' pkgs.coreutils "rm"} -rf ${target} - ${lib.getExe' pkgs.coreutils "mkdir"} -p ${target} - # Link all .so files specified in Apptainer - ${lib.getExe pkgs.gnugrep} '\.so$' ${pkgs.apptainer}/etc/apptainer/nvliblist.conf | while read file - do - ${lib.getExe' pkgs.coreutils "ln"} -s ${source}/$file.* ${target} - done - # Remove broken links - ${lib.getExe pkgs.findutils} -L ${target} -maxdepth 1 -type l -delete - ''; - }; }; } diff --git a/modules/tmux.nix b/modules/tmux.nix index adb27cc..a2f8a71 100644 --- a/modules/tmux.nix +++ b/modules/tmux.nix @@ -1,6 +1,7 @@ -{pkgs, ...}: { +{ pkgs, ... }: +{ environment = { - systemPackages = with pkgs; [tmux]; + systemPackages = with pkgs; [ tmux ]; etc."tmux.conf".text = '' new-session ''; diff --git a/modules/users.nix b/modules/users.nix index ad92ad6..9e7aad8 100644 --- a/modules/users.nix +++ b/modules/users.nix @@ -1,16 +1,15 @@ +{ pkgs, lib, ... }: +let + userctl = pkgs.writers.writePython3Bin "userctl" { + libraries = with pkgs.python3Packages; [ typer ]; + flakeIgnore = [ + "E203" + "E501" + ]; + } (builtins.readFile ./userctl.py); +in { - pkgs, - lib, - ... -}: let - userctl = - pkgs.writers.writePython3Bin "userctl" { - libraries = with pkgs.python3Packages; [typer]; - flakeIgnore = ["E203" "E501"]; - } - (builtins.readFile ./userctl.py); -in { environment = { - systemPackages = [userctl]; + systemPackages = [ userctl ]; }; } diff --git a/options/containers.nix b/options/containers.nix index 3d1d2d6..0629aca 100644 --- a/options/containers.nix +++ b/options/containers.nix @@ -4,13 +4,15 @@ lib, pkgs, ... -}: let +}: +let cfg = config.virtualisation.containers; inherit (lib) mkOption types; - toml = pkgs.formats.toml {}; -in { + toml = pkgs.formats.toml { }; +in +{ options.virtualisation.containers = { enable = mkOption { type = types.bool; @@ -22,7 +24,7 @@ in { containersConf.settings = mkOption { type = toml.type; - default = {}; + default = { }; description = lib.mdDoc "containers.conf configuration"; }; @@ -41,14 +43,17 @@ in { registries = { search = mkOption { type = types.listOf types.str; - default = ["docker.io" "quay.io"]; + default = [ + "docker.io" + "quay.io" + ]; description = lib.mdDoc '' List of repositories to search. ''; }; insecure = mkOption { - default = []; + default = [ ]; type = types.listOf types.str; description = lib.mdDoc '' List of insecure repositories. @@ -56,7 +61,7 @@ in { }; block = mkOption { - default = []; + default = [ ]; type = types.listOf types.str; description = lib.mdDoc '' List of blocked repositories. @@ -66,14 +71,12 @@ in { }; config = lib.mkIf cfg.enable { - environment.etc."containers/containers.conf".source = - toml.generate "containers.conf" cfg.containersConf.settings; + environment.etc."containers/containers.conf".source = toml.generate "containers.conf" cfg.containersConf.settings; - environment.etc."containers/storage.conf".source = - toml.generate "storage.conf" cfg.storage.settings; + environment.etc."containers/storage.conf".source = toml.generate "storage.conf" cfg.storage.settings; environment.etc."containers/registries.conf".source = toml.generate "registries.conf" { - registries = lib.mapAttrs (n: v: {registries = v;}) cfg.registries; + registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries; }; environment.etc."containers/policy.json".source = "${pkgs.skopeo.policy}/default-policy.json"; diff --git a/options/default.nix b/options/default.nix index fee724c..e14468c 100644 --- a/options/default.nix +++ b/options/default.nix @@ -1,3 +1,4 @@ -{lib', ...}: { +{ lib', ... }: +{ imports = lib'.flocken.getModules ./.; }