├── modules ├── jumphost │ ├── .envrc │ ├── inventory │ ├── apply.sh │ ├── README.md │ ├── sshd_config │ └── default.nix ├── ls1-coffee │ ├── .envrc │ ├── inventory │ ├── apply.sh │ └── backup.yaml ├── monitoring │ ├── .envrc │ ├── inventory │ ├── apply.sh │ ├── flake-module.nix │ ├── upgrades.yml │ ├── telegraf.nix │ └── prometheus │ │ └── nginx.nix ├── mosh.nix ├── envfs.nix ├── apple-silicon-support │ ├── default.nix │ └── packages │ │ ├── overlay.nix │ │ ├── linux-asahi │ │ ├── rustc_1.82.0.patch │ │ └── 0001-fs-fcntl-accept-more-values-as-F_DUPFD_CLOEXEC-args.patch │ │ ├── alsa-ucm-conf-asahi │ │ └── default.nix │ │ ├── mesa-asahi-edge │ │ ├── vendor │ │ │ └── darwin.patch │ │ └── default.nix │ │ ├── bankstown-lv2 │ │ └── default.nix │ │ ├── asahi-fwextract │ │ └── default.nix │ │ ├── asahi-audio │ │ └── default.nix │ │ ├── speakersafetyd │ │ └── default.nix │ │ └── uboot-asahi │ │ └── default.nix ├── netboot │ ├── zfs.nix │ ├── run-dhcpd.sh │ ├── shell.nix │ ├── test-boot.sh │ ├── default.nix │ ├── dhcpd.conf │ ├── netboot-pixie-core.nix │ └── netboot.nix ├── sshd │ ├── certs │ │ ├── ssh-ca.pub │ │ ├── netboot-cert.pub │ │ ├── doctor-cert.pub │ │ ├── dan-cert.pub │ │ ├── ace-cert.pub │ │ ├── bill-cert.pub │ │ ├── ian-cert.pub │ │ ├── jack-cert.pub │ │ ├── joy-cert.pub │ │ ├── rose-cert.pub │ │ ├── amy-cert.pub │ │ ├── river-cert.pub │ │ ├── ruby-cert.pub │ │ ├── ryan-cert.pub │ │ ├── astrid-cert.pub │ │ ├── graham-cert.pub │ │ ├── mickey-cert.pub │ │ ├── yasmin-cert.pub │ │ ├── donna-cert.pub │ │ ├── eliza-cert.pub │ │ ├── irene-cert.pub │ │ ├── jackson-cert.pub │ │ ├── jamie-cert.pub │ │ ├── login-cert.pub │ │ ├── nardole-cert.pub │ │ ├── tegan-cert.pub │ │ ├── vicki-cert.pub │ │ ├── wilfred-cert.pub │ │ ├── martha-cert.pub │ │ ├── vislor-cert.pub │ │ ├── xavier-cert.pub │ │ ├── adelaide-cert.pub │ │ ├── christina-cert.pub │ │ └── clara-cert.pub │ ├── ssh-ca-sign │ └── default.nix ├── container.nix ├── borgbackup-repos │ ├── nfs-home-borgbackup.pub │ ├── nfs-share-borgbackup.pub │ └── default.nix ├── buildbot │ ├── hostfile.nix │ ├── builder.nix │ ├── reverse-proxy.nix │ └── worker.nix ├── ipmi-supermicro.nix ├── postgresql.nix ├── uprobes.nix ├── vfio │ ├── iommu-amd.nix │ └── iommu-intel.nix ├── initrd-network.nix ├── intel-fpgas.nix ├── filesystems-r440.nix ├── zsh.nix ├── linux-ioregionfd.nix ├── cleanup-usr.nix ├── facter.nix ├── nix-index.nix ├── systemd.nix ├── k3s │ ├── test-cluster.nix │ ├── server.nix │ ├── agent.nix │ ├── k3s-reset-node │ └── default.nix ├── fck-spectr.nix ├── swiss-knife │ ├── storage.nix │ ├── default.nix │ └── network.nix ├── hardware │ ├── poweredge-r440.nix │ ├── supermicro-X12SCZ-TLN4F.nix │ ├── mifcom-tower.nix │ ├── poweredge7515.nix │ ├── supermicro-x12spw-tf-disko.nix │ ├── supermicro-AS-4124GS.nix │ ├── supermicro-AS-2015CS.nix │ ├── poweredge-r760.nix │ ├── poweredge-r770.nix │ ├── poweredge7625.nix │ ├── supermicro-120U-TNR.nix │ ├── supermicro-x12spw-tf.nix │ ├── macmini-m1.nix │ ├── morello.nix │ └── supermicro-ARS-211M-NR.nix ├── ci.nix ├── bootloader.nix ├── tinc.nix ├── arm_morello.nix ├── podman.nix ├── lawful-access │ └── util.nix ├── elasticsearch.nix ├── intel_tdx.nix ├── nfs │ └── default.nix ├── tracing.nix ├── amd_sev_svsm.nix ├── amd_sev_svsm_wallet.nix ├── builder.nix ├── register-flake.nix ├── qemu-bridge.nix ├── xrdp.nix ├── docker.nix ├── amd_sev_snp-6.8.nix ├── linux-uintr.nix ├── amd_sev_snp.nix ├── nvidia-jetson-passthru │ ├── bpmp_host_overlay.dts │ └── patches │ │ ├── 0002-vfio_platform-reset-required-false.patch │ │ ├── 0002-Bpmp-host-allows-all-domains.patch │ │ ├── 0002-NOP_PREDEFINED_DTB_MEMORY.patch │ │ └── 0003-Print-irqs.patch ├── coyote.nix ├── amd_sev_snp-vanilla.nix ├── users │ ├── devices.nix │ └── default.nix ├── nvidia.nix ├── xilinx.nix ├── auto-upgrade.nix ├── disko-ext4.nix ├── nix-ld.nix ├── scratch-space.nix ├── yasmin-hardware.nix ├── amd_sev.nix ├── packages.nix ├── nvidia-orin-agx.nix ├── dax.nix └── nix-daemon.nix ├── ci.nix ├── terraform ├── github-permissions │ ├── apply.sh │ ├── secrets.tf │ ├── backend.tf │ ├── README.md │ ├── providers.tf │ ├── bots.tf │ ├── sys-prog-tutors.tf │ ├── chair-members.tf │ └── adv-sys-prog-tutors.tf ├── repo-mirrors │ ├── secrets.tf │ ├── org.tf │ ├── apply.sh │ ├── providers.tf │ ├── backend.tf │ ├── repository-dispatch.tf │ └── repo-mirror.tf ├── modules │ └── github-push-bot │ │ ├── providers.tf │ │ ├── variables.tf │ │ └── main.tf ├── .envrc.local-template ├── .envrc ├── README.md └── shell.nix ├── pkgs ├── intel-fpgas │ ├── opencl-drivers │ │ ├── 99-aclpci_s10_ref.rules │ │ └── default.nix │ └── cable-drivers │ │ ├── 51-usbblaster.rules │ │ └── default.nix ├── xilinx │ ├── sfc-dkms-shell.nix │ ├── cable-drivers │ │ ├── default.nix │ │ └── 52-xilinx-pcusb.rules │ ├── xntools-core.nix │ ├── firmware.nix │ ├── firmware-sn1000.nix │ ├── xrt-drivers.nix │ └── sfc-driver.nix ├── sgx-enable │ └── default.nix ├── install-iso │ ├── default.nix │ └── nix-settings.nix ├── kernels │ ├── zfs-tdx.patch │ ├── linux-ioregionfd-5.15.nix │ ├── linux-ioregionfd-5.19.nix │ ├── linux-ioregionfd-5.14.nix │ └── linux-uintr.nix ├── linux-sgx-driver │ └── default.nix ├── kata-runtime │ ├── default.nix │ └── kata-runtimes.nix ├── musl-morello-purecap │ └── default.nix ├── graphene-sgx-driver │ └── default.nix ├── ipmctl.nix ├── clang-morello │ └── default.nix └── llvm-morello-purecap │ └── default.nix ├── repl.nix ├── .github ├── dependabot.yml └── workflows │ ├── auto-merge.yaml │ ├── check-expired-students.yml │ └── update-flake-inputs.yml ├── .gitignore ├── .envrc ├── templates ├── default.nix └── home-manager │ ├── home.nix │ └── flake.nix ├── hosts ├── xavier.nix ├── ian.nix ├── christina.nix ├── river.nix ├── yasmin.nix ├── ace.nix ├── adelaide.nix ├── astrid.nix ├── jack.nix ├── wilfred.nix ├── jamie.nix ├── eliza.nix ├── vislor.nix ├── joy.nix ├── martha.nix ├── irene.nix ├── dan.nix ├── ruby.nix ├── mickey.nix ├── nardole.nix ├── clara.nix ├── jackson.nix ├── bill.nix ├── vicki.nix ├── tegan.nix ├── amy.nix ├── rose.nix └── graham.nix ├── docs ├── mte-supermicro.md ├── DNSMASQ.md ├── WIKIS.md ├── get-lldp-neighbors.sh ├── morello.md ├── generate-host-info.sh ├── gen-ssh-config.sh ├── DNSMASQ_UBUNTU.md ├── gpu.md ├── doctor-vms.md ├── inventory_numbers.md └── adric.md ├── devShells └── flake-module.nix └── home └── .config └── nixpkgs └── home.nix /modules/jumphost/.envrc: -------------------------------------------------------------------------------- 1 | ../monitoring/.envrc -------------------------------------------------------------------------------- /modules/jumphost/inventory: -------------------------------------------------------------------------------- 1 | login.dos.cit.tum.de 2 | -------------------------------------------------------------------------------- /modules/ls1-coffee/.envrc: -------------------------------------------------------------------------------- 1 | use flake .#ansible 2 | -------------------------------------------------------------------------------- /modules/monitoring/.envrc: -------------------------------------------------------------------------------- 1 | use flake .#ansible 2 | -------------------------------------------------------------------------------- /modules/mosh.nix: -------------------------------------------------------------------------------- 1 | { programs.mosh.enable = true; } 2 | -------------------------------------------------------------------------------- /ci.nix: -------------------------------------------------------------------------------- 1 | (builtins.getFlake (toString ./.)).hydraJobs 2 | -------------------------------------------------------------------------------- /modules/ls1-coffee/inventory: -------------------------------------------------------------------------------- 1 | ls1-coffee.dse.cit.tum.de 2 | -------------------------------------------------------------------------------- /modules/monitoring/inventory: -------------------------------------------------------------------------------- 1 | monitoring.dos.cit.tum.de 2 | -------------------------------------------------------------------------------- /terraform/github-permissions/apply.sh: -------------------------------------------------------------------------------- 1 | ../repo-mirrors/apply.sh -------------------------------------------------------------------------------- /terraform/github-permissions/secrets.tf: -------------------------------------------------------------------------------- 1 | ../repo-mirrors/secrets.tf -------------------------------------------------------------------------------- /modules/jumphost/apply.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ansible-playbook -i inventory sshd_setup.yml 4 | -------------------------------------------------------------------------------- /modules/ls1-coffee/apply.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ansible-playbook -i inventory backup.yaml 4 | -------------------------------------------------------------------------------- /modules/monitoring/apply.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ansible-playbook -i inventory upgrades.yml 4 | -------------------------------------------------------------------------------- /modules/envfs.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | { 3 | services.envfs.enable = lib.mkDefault false; # envfs is broken 4 | } 5 | -------------------------------------------------------------------------------- /terraform/repo-mirrors/secrets.tf: -------------------------------------------------------------------------------- 1 | data "sops_file" "secrets" { 2 | source_file = "../secrets.enc.json" 3 | } 4 | -------------------------------------------------------------------------------- /pkgs/intel-fpgas/opencl-drivers/99-aclpci_s10_ref.rules: -------------------------------------------------------------------------------- 1 | KERNEL=="acls10_ref*", SUBSYSTEM=="aclpci_s10_ref", MODE="0666" 2 | -------------------------------------------------------------------------------- /modules/apple-silicon-support/default.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | 3 | { 4 | imports = [ 5 | ./modules/default.nix 6 | ]; 7 | } 8 | -------------------------------------------------------------------------------- /modules/netboot/zfs.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | boot.supportedFilesystems = [ "zfs" ]; 4 | networking.hostId = "ac174b52"; 5 | } 6 | -------------------------------------------------------------------------------- /modules/sshd/certs/ssh-ca.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPcaLmompPPzIxv0e3ev3ywkinHZ38bAaRD8JA/s2Zz6 ca@thalheim.io 2 | -------------------------------------------------------------------------------- /modules/container.nix: -------------------------------------------------------------------------------- 1 | { modulesPath, ... }: 2 | { 3 | imports = [ "${toString modulesPath}/virtualisation/lxc-container.nix" ]; 4 | } 5 | -------------------------------------------------------------------------------- /modules/borgbackup-repos/nfs-home-borgbackup.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIZH5Zg3qILbWW5X8bLZHe4+3xjkFWqMvoNq4tqLkJwN joerg@turingmachine 2 | -------------------------------------------------------------------------------- /modules/buildbot/hostfile.nix: -------------------------------------------------------------------------------- 1 | { 2 | networking.extraHosts = '' 3 | # bills address 4 | 2a09:80c0:102::11 buildbot-master 5 | ''; 6 | } 7 | -------------------------------------------------------------------------------- /modules/borgbackup-repos/nfs-share-borgbackup.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHX3oHyjFtFRMYJ6UZky5NIayeIALpANZWgrwTrbR9kK joerg@turingmachine 2 | -------------------------------------------------------------------------------- /modules/netboot/run-dhcpd.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -euo pipefail 3 | 4 | # assumes that virbr0 is the VM bridge 5 | dhcpd -d -cf dhcpd.conf virbr0 6 | -------------------------------------------------------------------------------- /repl.nix: -------------------------------------------------------------------------------- 1 | # USAGE: nix repl ./repl.nix --argstr hostname 2 | { hostname }: (builtins.getFlake (toString ./.)).nixosConfigurations.${hostname} 3 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: "github-actions" 4 | directory: "/" 5 | schedule: 6 | interval: "weekly" 7 | -------------------------------------------------------------------------------- /modules/ipmi-supermicro.nix: -------------------------------------------------------------------------------- 1 | { 2 | # supermicro uses ttyS1 for SOL 3 | boot.kernelParams = [ 4 | "console=ttyS1,115200n8" 5 | "console=tty1" 6 | ]; 7 | } 8 | -------------------------------------------------------------------------------- /terraform/repo-mirrors/org.tf: -------------------------------------------------------------------------------- 1 | resource "gitlab_group" "tum_dse" { 2 | name = "TUM-DSE" 3 | path = "TUM-DSE" 4 | visibility_level = "public" 5 | } 6 | -------------------------------------------------------------------------------- /terraform/modules/github-push-bot/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | github = { 4 | source = "integrations/github" 5 | } 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /modules/postgresql.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | services.postgresql.enable = true; 4 | services.postgresql.package = pkgs.postgresql_14; 5 | services.postgresqlBackup.enable = true; 6 | } 7 | -------------------------------------------------------------------------------- /terraform/.envrc.local-template: -------------------------------------------------------------------------------- 1 | # Generate and add Github token from here: https://github.com/settings/tokens 2 | # Give access to `repo` and all `admin:` scopes 3 | export GITHUB_TOKEN= 4 | -------------------------------------------------------------------------------- /modules/uprobes.nix: -------------------------------------------------------------------------------- 1 | { 2 | boot.kernelPatches = [ 3 | { 4 | name = "uprobes"; 5 | patch = null; 6 | extraConfig = "CONFIG_UPROBE_EVENTS y"; 7 | } 8 | ]; 9 | } 10 | -------------------------------------------------------------------------------- /terraform/.envrc: -------------------------------------------------------------------------------- 1 | use nix 2 | 3 | if [[ -f .envrc.local ]]; then 4 | source .envrc.local 5 | else 6 | echo "copy .envrc.local-template to .envrc.local and follow the instructions in this file" 7 | fi 8 | -------------------------------------------------------------------------------- /terraform/README.md: -------------------------------------------------------------------------------- 1 | # Terraform configuration to manage github/gitlab orgs 2 | 3 | To apply terraform updates first copy `.envrc.local-template` to `.envrc.local` 4 | and read the instructions in this file. 5 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | host-configuration.nix 2 | .direnv 3 | terraform/.envrc.local 4 | terraform/.terraform/ 5 | terraform/github-permissions/.terraform/ 6 | terraform.tfstate.backup 7 | .terraform.lock.hcl 8 | __pycache__ 9 | -------------------------------------------------------------------------------- /modules/vfio/iommu-amd.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ ./. ]; 3 | 4 | virtualisation = { 5 | vfio = { 6 | enable = true; 7 | iommuType = "amd"; 8 | iommuDebugFs = true; 9 | }; 10 | }; 11 | } 12 | -------------------------------------------------------------------------------- /modules/netboot/shell.nix: -------------------------------------------------------------------------------- 1 | { 2 | pkgs ? import { }, 3 | }: 4 | with pkgs; 5 | mkShellNoCC { 6 | buildInputs = [ 7 | qemu_kvm 8 | dhcp 9 | ]; 10 | # to test efi netboot 11 | OVMF = OVMF.fd; 12 | } 13 | -------------------------------------------------------------------------------- /.envrc: -------------------------------------------------------------------------------- 1 | if ! has nix_direnv_version || ! nix_direnv_version 3.0.6; then 2 | source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.6/direnvrc" "sha256-RYcUJaRMf8oF5LznDrlCXbkOQrywm0HDv1VjYGaJGdM=" 3 | fi 4 | 5 | use flake 6 | -------------------------------------------------------------------------------- /modules/initrd-network.nix: -------------------------------------------------------------------------------- 1 | { 2 | boot.initrd.network = { 3 | enable = true; 4 | ssh = { 5 | enable = true; 6 | port = 2222; 7 | hostKeys = [ "/etc/ssh/ssh_host_ed25519_key" ]; 8 | }; 9 | }; 10 | } 11 | -------------------------------------------------------------------------------- /modules/vfio/iommu-intel.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | imports = [ ./. ]; 4 | 5 | virtualisation = { 6 | vfio = { 7 | enable = true; 8 | iommuType = "intel"; 9 | iommuDebugFs = true; 10 | }; 11 | }; 12 | } 13 | -------------------------------------------------------------------------------- /pkgs/intel-fpgas/cable-drivers/51-usbblaster.rules: -------------------------------------------------------------------------------- 1 | # Intel FPGA Download Cable II 2 | SUBSYSTEMS=="usb", ATTRS{idVendor}=="09fb", ATTRS{idProduct}=="6010", MODE="0666" 3 | SUBSYSTEMS=="usb", ATTRS{idVendor}=="09fb", ATTRS{idProduct}=="6810", MODE="0666" 4 | -------------------------------------------------------------------------------- /terraform/modules/github-push-bot/variables.tf: -------------------------------------------------------------------------------- 1 | variable "org_name" { 2 | type = string 3 | description = "Organisation name where to invite the bot to." 4 | } 5 | variable "bot_github_token" { 6 | type = string 7 | description = "Github token of the bot." 8 | } 9 | -------------------------------------------------------------------------------- /terraform/repo-mirrors/apply.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -euo pipefail 3 | 4 | rm -Rf .terraform* 5 | password=$(sops -d --output-type dotenv --extract '["GITLAB_TOKEN"]' ../secrets.enc.json) 6 | terraform init -backend-config="password=${password}" 7 | terraform apply 8 | -------------------------------------------------------------------------------- /modules/intel-fpgas.nix: -------------------------------------------------------------------------------- 1 | { self, pkgs, ... }: 2 | let 3 | packages = self.packages.${pkgs.system}; 4 | in 5 | { 6 | config = { 7 | services.udev.packages = [ 8 | packages.intel-cable-drivers 9 | packages.intel-opencl-drivers 10 | ]; 11 | }; 12 | } 13 | -------------------------------------------------------------------------------- /modules/jumphost/README.md: -------------------------------------------------------------------------------- 1 | # SSH jump host 2 | 3 | We have a VM from RBG that is reachable via SSH from the internet. It's ubuntu 4 | based as provided by RBG; all modification that has been done to it are in `apply.sh`. 5 | Astrid is configured to upload ssh keys to the `tunnel` user. 6 | -------------------------------------------------------------------------------- /modules/monitoring/flake-module.nix: -------------------------------------------------------------------------------- 1 | { 2 | perSystem = 3 | { pkgs, ... }: 4 | { 5 | devShells.ansible = pkgs.mkShellNoCC { 6 | buildInputs = [ 7 | pkgs.bashInteractive 8 | pkgs.ansible 9 | ]; 10 | }; 11 | }; 12 | } 13 | -------------------------------------------------------------------------------- /modules/filesystems-r440.nix: -------------------------------------------------------------------------------- 1 | { 2 | fileSystems."/" = { 3 | device = "zroot/root/nixos"; 4 | fsType = "zfs"; 5 | }; 6 | 7 | fileSystems."/boot" = { 8 | device = "/dev/disk/by-label/NIXOS_BOOT"; 9 | fsType = "vfat"; 10 | options = [ "nofail" ]; 11 | }; 12 | } 13 | -------------------------------------------------------------------------------- /modules/zsh.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | programs.zsh.enable = true; 4 | programs.zsh.enableCompletion = true; 5 | programs.zsh.enableGlobalCompInit = false; 6 | programs.zsh.interactiveShellInit = '' 7 | source ${pkgs.zsh-nix-shell}/share/zsh-nix-shell/nix-shell.plugin.zsh 8 | ''; 9 | } 10 | -------------------------------------------------------------------------------- /modules/netboot/test-boot.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -euo pipefail 3 | 4 | # VM to simulate netboot 5 | qemu-system-x86_64 \ 6 | -enable-kvm \ 7 | -nographic \ 8 | -m 4096 \ 9 | -boot n \ 10 | -bios "${OVMF}/FV/OVMF.fd" \ 11 | -net nic \ 12 | -net tap,ifname=tap0,script=no,downscript=no 13 | -------------------------------------------------------------------------------- /templates/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | flake.templates = { 3 | project = { 4 | path = ./project-template; 5 | description = "A basic make project with gcc"; 6 | }; 7 | home-manager = { 8 | path = ./home-manager; 9 | description = "A home-manager example"; 10 | }; 11 | }; 12 | } 13 | -------------------------------------------------------------------------------- /modules/linux-ioregionfd.nix: -------------------------------------------------------------------------------- 1 | { pkgs, lib, ... }: 2 | let 3 | linux_ioregionfd = pkgs.callPackage ../pkgs/kernels/linux-ioregionfd-5.15.nix { }; 4 | linuxPackages_ioregionfd = pkgs.recurseIntoAttrs (pkgs.linuxPackagesFor linux_ioregionfd); 5 | in 6 | { 7 | boot.kernelPackages = lib.mkForce linuxPackages_ioregionfd; 8 | } 9 | -------------------------------------------------------------------------------- /pkgs/xilinx/sfc-dkms-shell.nix: -------------------------------------------------------------------------------- 1 | with import { }; 2 | let 3 | kernel = linuxPackages.kernel; 4 | in 5 | stdenv.mkDerivation { 6 | name = "env"; 7 | buildInputs = linux.moduleBuildDependencies; 8 | KERNELDIR = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"; 9 | hardeningDisable = [ "all" ]; 10 | } 11 | -------------------------------------------------------------------------------- /modules/cleanup-usr.nix: -------------------------------------------------------------------------------- 1 | { 2 | # clean-up mess created by `sudo make install` 3 | systemd.tmpfiles.rules = [ 4 | "R /usr/include/ - - - - -" 5 | "R /usr/lib/ - - - - -" 6 | "R /usr/local/ - - - - -" 7 | "R /usr/sbin/ - - - - -" 8 | "R /usr/share/ - - - - -" 9 | "R /usr/libexec/ - - - - -" 10 | ]; 11 | } 12 | -------------------------------------------------------------------------------- /modules/facter.nix: -------------------------------------------------------------------------------- 1 | { config, inputs, lib, ... }: 2 | let 3 | report = ../hosts + "/${config.networking.hostName}-facter.json"; 4 | in 5 | { 6 | imports = [ 7 | inputs.nixos-facter-modules.nixosModules.facter 8 | ]; 9 | 10 | config = { 11 | facter.reportPath = lib.mkIf (builtins.pathExists report) report; 12 | }; 13 | } 14 | -------------------------------------------------------------------------------- /modules/nix-index.nix: -------------------------------------------------------------------------------- 1 | { pkgs, inputs, ... }: 2 | { 3 | 4 | imports = [ inputs.nix-index-database.nixosModules.nix-index ]; 5 | # we don't have a pre-built database for this platform 6 | programs.nix-index.enable = pkgs.stdenv.system != "riscv64-linux"; 7 | programs.nix-index-database.comma.enable = pkgs.stdenv.system != "riscv64-linux"; 8 | } 9 | -------------------------------------------------------------------------------- /terraform/shell.nix: -------------------------------------------------------------------------------- 1 | with import (builtins.getFlake (toString ../.)).inputs.nixpkgs { }; 2 | mkShellNoCC { 3 | nativeBuildInputs = [ 4 | bashInteractive 5 | sops 6 | gnupg 7 | (pkgs.terraform.withPlugins ( 8 | p: [ 9 | p.gitlab 10 | p.github 11 | p.sops 12 | ] 13 | )) 14 | ]; 15 | } 16 | -------------------------------------------------------------------------------- /modules/systemd.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | # we don't really have services that need a long shutdown. 4 | systemd.extraConfig = '' 5 | DefaultTimeoutStopSec = 20s 6 | ''; 7 | 8 | # allow scheduling of jobs at arbitrary times 9 | # (atd doesnt build for riscv64-linux) 10 | services.atd.enable = !(pkgs.stdenv.hostPlatform.isRiscV64); 11 | } 12 | -------------------------------------------------------------------------------- /modules/k3s/test-cluster.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | { 3 | services.k3s.serverAddr = lib.mkIf ( 4 | config.services.k3s.role == "agent" 5 | ) "https://astrid.dos.cit.tum.de:6443"; 6 | 7 | sops.secrets.k3s-test-cluster-server-token.sopsFile = ./secrets.yml; 8 | services.k3s.tokenFile = config.sops.secrets.k3s-test-cluster-server-token.path; 9 | } 10 | -------------------------------------------------------------------------------- /modules/buildbot/builder.nix: -------------------------------------------------------------------------------- 1 | { 2 | users.extraUsers.buildbot-worker = { 3 | isNormalUser = true; 4 | home = "/var/lib/buildbot-worker"; 5 | openssh.authorizedKeys.keys = [ 6 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/yryxd93+2KkqhCaJIjXf48jPre3HnHyvHz/aQPlHt" 7 | ]; 8 | uid = 5003; 9 | }; 10 | nix.settings.trusted-users = [ "buildbot-worker" ]; 11 | } 12 | -------------------------------------------------------------------------------- /modules/fck-spectr.nix: -------------------------------------------------------------------------------- 1 | { 2 | # It may leak your data, but look how FAST it is!1!! 3 | # https://make-linux-fast-again.com/ 4 | boot.kernelParams = [ 5 | "noibrs" 6 | "noibpb" 7 | "nopti" 8 | "nospectre_v2" 9 | "nospectre_v1" 10 | "l1tf=off" 11 | "nospec_store_bypass_disable" 12 | "no_stf_barrier" 13 | "mds=off" 14 | "mitigations=off" 15 | ]; 16 | } 17 | -------------------------------------------------------------------------------- /pkgs/sgx-enable/default.nix: -------------------------------------------------------------------------------- 1 | { stdenv 2 | , fetchFromGitHub 3 | , 4 | }: 5 | stdenv.mkDerivation rec { 6 | pname = "sgx-enable"; 7 | version = "0.0.1"; 8 | src = fetchFromGitHub { 9 | owner = "Mic92"; 10 | repo = "sgx-enable"; 11 | rev = version; 12 | sha256 = "193qmafnzhx6mkq9x9wh758pbrl1w6w0axndbijrnrmr6g4dvshr"; 13 | }; 14 | installFlags = [ "PREFIX=${placeholder "out"}" ]; 15 | } 16 | -------------------------------------------------------------------------------- /.github/workflows/auto-merge.yaml: -------------------------------------------------------------------------------- 1 | name: Auto Merge Dependency Updates 2 | on: 3 | - pull_request_target 4 | jobs: 5 | auto-merge-dependency-updates: 6 | runs-on: ubuntu-latest 7 | permissions: 8 | contents: write 9 | pull-requests: write 10 | concurrency: 11 | group: "auto-merge:${{ github.head_ref }}" 12 | cancel-in-progress: true 13 | steps: 14 | - uses: Mic92/auto-merge@main 15 | -------------------------------------------------------------------------------- /hosts/xavier.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ../modules/hardware/poweredge-r760.nix 4 | ../modules/nfs/client.nix 5 | ../modules/linux-uintr.nix 6 | ]; 7 | 8 | disko.rootDisk = "/dev/disk/by-id/nvme-SAMSUNG_MZQL23T8HCLS-00A07_S64HNN0W800552"; 9 | 10 | simd.arch = "sapphirerapids"; 11 | 12 | networking.hostName = "xavier"; 13 | 14 | system.stateVersion = "23.05"; 15 | powerManagement.cpuFreqGovernor = "performance"; 16 | } 17 | -------------------------------------------------------------------------------- /modules/swiss-knife/storage.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | { 3 | # also create an lvm with space for each team! 4 | # This is where teams can mount stuff to. 5 | systemd.tmpfiles.rules = 6 | let 7 | loginUsers = lib.filterAttrs ( 8 | _n: v: v.isNormalUser && lib.hasPrefix "team" v.name 9 | ) config.users.users; 10 | in 11 | (lib.mapAttrsToList (n: _v: "d /mnt/swissknife/${n} 0755 ${n} users -") loginUsers); 12 | } 13 | -------------------------------------------------------------------------------- /terraform/repo-mirrors/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | gitlab = { 4 | source = "gitlabhq/gitlab" 5 | } 6 | github = { 7 | source = "integrations/github" 8 | } 9 | sops = { 10 | source = "carlpett/sops" 11 | } 12 | } 13 | } 14 | 15 | provider "github" { 16 | owner = "TUM-DSE" 17 | } 18 | 19 | provider "gitlab" { 20 | token = data.sops_file.secrets.data["GITLAB_TOKEN"] 21 | } 22 | -------------------------------------------------------------------------------- /docs/mte-supermicro.md: -------------------------------------------------------------------------------- 1 | # Enabling MTE on the Supermicro ARS-211M-NR 2 | 3 | MTE is available on the Ampere-1a (AmpereOne AC04), but not on the Ampere-1 (AmpereOne AC03). 4 | Supermicro disables this feature by default. To enable it, boot into the UEFI shell (reboot, press F11, then select the builtin EFI shell). 5 | There, run the following command: 6 | 7 | ```shell 8 | nvparam -s NVPDBOOT -i 56 -w 0x1 9 | ``` 10 | 11 | Then, reboot the system. 12 | 13 | -------------------------------------------------------------------------------- /pkgs/install-iso/default.nix: -------------------------------------------------------------------------------- 1 | { self, pkgs, ... }: 2 | 3 | let 4 | defaultModule = { ... }: { 5 | imports = [ 6 | ./base-config.nix 7 | ./nix-settings.nix 8 | self.inputs.sops-nix.nixosModules.default 9 | ]; 10 | _module.args.inputs = self.inputs; 11 | }; 12 | in 13 | self.inputs.nixos-generators.nixosGenerate { 14 | inherit pkgs; 15 | modules = [ 16 | defaultModule 17 | ]; 18 | format = "install-iso"; 19 | } 20 | -------------------------------------------------------------------------------- /pkgs/kernels/zfs-tdx.patch: -------------------------------------------------------------------------------- 1 | diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c 2 | index cc130b57542a..1d85cb7071cb 100644 3 | --- a/arch/x86/kernel/alternative.c 4 | +++ b/arch/x86/kernel/alternative.c 5 | @@ -403,7 +403,7 @@ noinstr void BUG_func(void) 6 | { 7 | BUG(); 8 | } 9 | -EXPORT_SYMBOL_GPL(BUG_func); 10 | +EXPORT_SYMBOL(BUG_func); 11 | 12 | #define CALL_RIP_REL_OPCODE 0xff 13 | #define CALL_RIP_REL_MODRM 0x15 14 | -------------------------------------------------------------------------------- /modules/hardware/poweredge-r440.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | lib, 4 | modulesPath, 5 | ... 6 | }: 7 | { 8 | imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; 9 | 10 | boot.initrd.availableKernelModules = [ 11 | "ahci" 12 | "xhci_pci" 13 | "nvme" 14 | "megaraid_sas" 15 | ]; 16 | boot.kernelModules = [ "kvm-intel" ]; 17 | 18 | hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 19 | } 20 | -------------------------------------------------------------------------------- /modules/netboot/default.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | services.atftpd.enable = true; 4 | services.atftpd.root = "/var/lib/netboot"; 5 | networking.firewall.allowedTCPPorts = [ 6 | 69 # tftp 7 | 80 # http 8 | ]; 9 | networking.firewall.allowedUDPPorts = [ 10 | 69 # tftp 11 | ]; 12 | services.nginx.enable = true; 13 | services.nginx.virtualHosts."_" = { 14 | locations."/".extraConfig = '' 15 | root /var/lib/netboot; 16 | ''; 17 | }; 18 | } 19 | -------------------------------------------------------------------------------- /pkgs/xilinx/cable-drivers/default.nix: -------------------------------------------------------------------------------- 1 | { stdenv }: 2 | # taken from vivado 2021.2 3 | stdenv.mkDerivation { 4 | name = "xilinx-cable-driver"; 5 | src = ./.; 6 | installPhase = '' 7 | mkdir -p $out/lib/udev/rules.d/ 8 | cp -v *.rules $out/lib/udev/rules.d/ 9 | 10 | # This is a false-positive in the udev nixos build script but we fix it 11 | # anyway. 12 | sed -i -e 's!/sbin/udevcontrol!udevcontrol!' $out/lib/udev/rules.d/*.rules 13 | ''; 14 | } 15 | -------------------------------------------------------------------------------- /hosts/ian.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ../modules/hardware/poweredge-r760.nix 4 | ../modules/nfs/client.nix 5 | #../modules/linux-uintr.nix 6 | ../modules/intel_tdx.nix 7 | ]; 8 | 9 | disko.rootDisk = "/dev/disk/by-id/nvme-SAMSUNG_MZQL23T8HCLS-00A07_S64HNS0W800690"; 10 | 11 | networking.hostName = "ian"; 12 | 13 | simd.arch = "emeraldrapids"; 14 | 15 | system.stateVersion = "23.05"; 16 | 17 | powerManagement.cpuFreqGovernor = "performance"; 18 | } 19 | -------------------------------------------------------------------------------- /modules/ci.nix: -------------------------------------------------------------------------------- 1 | { 2 | # used in drone.thalheim.io 3 | users.users.ci = { 4 | isSystemUser = true; 5 | createHome = true; 6 | home = "/var/lib/ci"; 7 | extraGroups = [ "wheel" ]; 8 | shell = "/run/current-system/sw/bin/bash"; 9 | uid = 1101; 10 | group = "ci"; 11 | openssh.authorizedKeys.keys = [ 12 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPzCFVndhf5+81AiML9nJSrxEmoDGX2sf7hlCgd3am+G" 13 | ]; 14 | }; 15 | users.groups.ci = { }; 16 | } 17 | -------------------------------------------------------------------------------- /pkgs/xilinx/cable-drivers/52-xilinx-pcusb.rules: -------------------------------------------------------------------------------- 1 | # version 0002 2 | ATTR{idVendor}=="03fd", ATTR{idProduct}=="0008", MODE="666" 3 | ATTR{idVendor}=="03fd", ATTR{idProduct}=="0007", MODE="666" 4 | ATTR{idVendor}=="03fd", ATTR{idProduct}=="0009", MODE="666" 5 | ATTR{idVendor}=="03fd", ATTR{idProduct}=="000d", MODE="666" 6 | ATTR{idVendor}=="03fd", ATTR{idProduct}=="000f", MODE="666" 7 | ATTR{idVendor}=="03fd", ATTR{idProduct}=="0013", MODE="666" 8 | ATTR{idVendor}=="03fd", ATTR{idProduct}=="0015", MODE="666" 9 | -------------------------------------------------------------------------------- /modules/bootloader.nix: -------------------------------------------------------------------------------- 1 | { lib, pkgs, ... }: 2 | { 3 | # Enable this when you install NixOS on a new machine! 4 | boot.loader.efi.canTouchEfiVariables = false; 5 | 6 | boot.loader.grub = lib.mkIf (pkgs.stdenv.isAarch64) { 7 | efiSupport = true; 8 | device = "nodev"; 9 | }; 10 | 11 | # something is buggy with systemd-boot on our EFI machine yasmin 12 | boot.loader.systemd-boot.enable = lib.mkDefault ( 13 | !pkgs.stdenv.isAarch64 && !pkgs.stdenv.hostPlatform.isRiscV 14 | ); 15 | } 16 | -------------------------------------------------------------------------------- /modules/tinc.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | { 3 | # only allow connections from hosts specified in our retiolum hosts. 4 | services.tinc.networks.retiolum = { 5 | extraConfig = "StrictSubnets yes"; 6 | ed25519PrivateKeyFile = lib.mkIf ( 7 | config.sops.secrets ? "tinc-key" 8 | ) config.sops.secrets."tinc-key".path; 9 | 10 | rsaPrivateKeyFile = lib.mkIf ( 11 | config.sops.secrets ? "tinc-legacy-key" 12 | ) config.sops.secrets."tinc-legacy-key".path; 13 | }; 14 | } 15 | -------------------------------------------------------------------------------- /terraform/repo-mirrors/backend.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | backend "http" { 3 | address = "https://gitlab.com/api/v4/projects/33433812/terraform/state/gitlab" 4 | lock_address = "https://gitlab.com/api/v4/projects/33433812/terraform/state/gitlab/lock" 5 | unlock_address = "https://gitlab.com/api/v4/projects/33433812/terraform/state/gitlab/lock" 6 | username = "TUM-DSE" 7 | lock_method = "POST" 8 | unlock_method = "DELETE" 9 | retry_wait_min = "5" 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /hosts/christina.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ../modules/hardware/supermicro-x12spw-tf.nix 4 | ../modules/nfs/client.nix 5 | ../modules/dax.nix 6 | ../modules/dpdk.nix 7 | ../modules/vfio/iommu-intel.nix 8 | ]; 9 | 10 | boot.hugepages1GB.number = 8; 11 | systemd.network.ignorePci = [ 12 | "0000:00:1c.0" 13 | "0000:00:1c.1" 14 | ]; 15 | 16 | networking.hostName = "christina"; 17 | 18 | simd.arch = "icelake-server"; 19 | 20 | system.stateVersion = "21.11"; 21 | } 22 | -------------------------------------------------------------------------------- /modules/arm_morello.nix: -------------------------------------------------------------------------------- 1 | { 2 | pkgs, 3 | lib, 4 | self, 5 | ... 6 | }: 7 | let 8 | linuxPackages = 9 | (pkgs.linuxPackagesFor self.packages.${pkgs.hostPlatform.system}.linux-morello).extend 10 | (final: prev: { perf = pkgs.linuxPackages.perf; }); 11 | in 12 | { 13 | boot.kernelPackages = lib.mkForce linuxPackages; 14 | boot.initrd.includeDefaultModules = false; 15 | boot.initrd.availableKernelModules = [ 16 | "usb-storage" 17 | "usbhid" 18 | "hid_generic" 19 | ]; 20 | } 21 | -------------------------------------------------------------------------------- /modules/sshd/certs/netboot-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIE/2sEvVeJuseQdQu2HmgO27aglqVQfm4eZYfVqIBi1xAAAAIG7LkEwrqt5GV9jKK7srfxrB1rwZ/r5xsEmJ6hHzl0oyAAAAAAAAAAAAAAACAAAAGG5ldGJvb3RfaG9zdF9lZDI1NTE5X2tleQAAAAsAAAAHbmV0Ym9vdAAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIPcaLmompPPzIxv0e3ev3ywkinHZ38bAaRD8JA/s2Zz6AAAAUwAAAAtzc2gtZWQyNTUxOQAAAEAFzqe2BnKL/wEQ5WCBY5I0TWCkqTbGN5SFfGTgPceR2gcF/5S6SgvDiMmCpKCYVVfLRvnuiceWO2m9ZCBhRmoO joerg@rose 2 | -------------------------------------------------------------------------------- /modules/apple-silicon-support/packages/overlay.nix: -------------------------------------------------------------------------------- 1 | final: prev: { 2 | linux-asahi = final.callPackage ./linux-asahi { }; 3 | m1n1 = final.callPackage ./m1n1 { }; 4 | uboot-asahi = final.callPackage ./uboot-asahi { }; 5 | asahi-fwextract = final.callPackage ./asahi-fwextract { }; 6 | mesa-asahi-edge = final.callPackage ./mesa-asahi-edge { }; 7 | alsa-ucm-conf-asahi = final.callPackage ./alsa-ucm-conf-asahi { inherit (prev) alsa-ucm-conf; }; 8 | asahi-audio = final.callPackage ./asahi-audio { }; 9 | } 10 | -------------------------------------------------------------------------------- /modules/podman.nix: -------------------------------------------------------------------------------- 1 | { pkgs, lib, ... }: 2 | { 3 | virtualisation.docker.enable = lib.mkForce false; 4 | virtualisation.podman = { 5 | enable = true; 6 | extraPackages = [ pkgs.zfs ]; 7 | dockerCompat = true; 8 | dockerSocket.enable = true; 9 | }; 10 | 11 | virtualisation.containers.storage.settings = { 12 | storage.driver = "zfs"; 13 | storage.graphroot = "/var/lib/containers/storage"; 14 | storage.runroot = "/run/containers/storage"; 15 | storage.options.zfs.fsname = "zroot/docker"; 16 | }; 17 | } 18 | -------------------------------------------------------------------------------- /terraform/github-permissions/backend.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | backend "http" { 3 | address = "https://gitlab.com/api/v4/projects/33433812/terraform/state/github-permissions" 4 | lock_address = "https://gitlab.com/api/v4/projects/33433812/terraform/state/github-permissions/lock" 5 | unlock_address = "https://gitlab.com/api/v4/projects/33433812/terraform/state/github-permissions/lock" 6 | username = "TUM-DSE" 7 | lock_method = "POST" 8 | unlock_method = "DELETE" 9 | retry_wait_min = "5" 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /modules/monitoring/upgrades.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Upgrade and reboot monitoring Ubuntu VM that runs our monitoring 3 | hosts: all 4 | become: yes 5 | tasks: 6 | - name: Update and upgrade apt packages for security updates 7 | apt: 8 | upgrade: yes 9 | update_cache: yes 10 | autoclean: yes 11 | autoremove: yes 12 | cache_valid_time: 86400 # One day 13 | register: system_upgrade 14 | - name: Reboot the machine when updates have been applied 15 | reboot: 16 | when: system_upgrade.changed 17 | -------------------------------------------------------------------------------- /modules/apple-silicon-support/packages/linux-asahi/rustc_1.82.0.patch: -------------------------------------------------------------------------------- 1 | diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs 2 | index f56e077b8f53..5e0625b41dad 100644 3 | --- a/rust/kernel/lib.rs 4 | +++ b/rust/kernel/lib.rs 5 | @@ -23,6 +23,7 @@ 6 | #![feature(type_alias_impl_trait)] 7 | #![feature(unsize)] 8 | #![warn(clippy::undocumented_unsafe_blocks)] 9 | +#![feature(box_uninit_write)] 10 | 11 | // Ensure conditional compilation based on the kernel configuration works; 12 | // otherwise we may silently break things like initcall handling. 13 | -------------------------------------------------------------------------------- /modules/k3s/server.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | imports = [ ./. ]; 4 | sops.secrets.k3s-server-token.sopsFile = ./secrets.yml; 5 | networking.firewall.allowedTCPPorts = [ 6443 ]; 6 | services.k3s.extraFlags = "--disable traefik --snapshotter=zfs --container-runtime-endpoint unix:///run/containerd/containerd.sock --flannel-backend=host-gw"; 7 | 8 | services.dockerRegistry.enable = true; 9 | services.dockerRegistry.listenAddress = "[::]"; 10 | services.dockerRegistry.extraConfig.registry.proxy.remoteurl = "https://registry-1.docker.io"; 11 | } 12 | -------------------------------------------------------------------------------- /modules/sshd/certs/doctor-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIGWte10dKNXkMBh4fhJhFNri0Ma94AkTSskfPLcf7hVYAAAAIAAr2pjOX2vizwlnR3WorGCtWmHgKAZDMWc3qti9PdDZAAAAAAAAAAAAAAACAAAACGRvY3Rvci5yAAAAOwAAAAZkb2N0b3IAAAAIZG9jdG9yLmkAAAAIZG9jdG9yLnIAAAAVZG9jdG9yLmRvcy5jaXQudHVtLmRlAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAg9xouaiak8/MjG/R7d6/fLCSKcdnfxsBpEPwkD+zZnPoAAABTAAAAC3NzaC1lZDI1NTE5AAAAQH/SM22H8fJXDkdLGkkse7p5AFr8BSk0CUBnRkquEhAvUPNJkSsSvTY8W0gCzlDauufJZWh139BmPfzELHMMKAI= doctor.r.pub 2 | -------------------------------------------------------------------------------- /templates/home-manager/home.nix: -------------------------------------------------------------------------------- 1 | # docs: find home manager options here: 2 | # https://nix-community.github.io/home-manager/options.html 3 | { pkgs, username, ... }: 4 | { 5 | config = { 6 | home.packages = with pkgs; [ 7 | # put user-global packages here 8 | htop 9 | ]; 10 | 11 | home.stateVersion = "23.11"; 12 | home.username = username; 13 | home.homeDirectory = "/home/${username}"; 14 | xdg.cacheHome = "/scratch/${username}/.cache"; 15 | xdg.stateHome = "/scratch/${username}/.local/share"; 16 | }; 17 | } 18 | -------------------------------------------------------------------------------- /modules/lawful-access/util.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | let 3 | hasLawfulAccess = lib.attrsets.hasAttrByPath [ 4 | "services" 5 | "openssh" 6 | "lawful-access" 7 | "enable" 8 | ] config; 9 | in 10 | { 11 | # remove all keys matching the lawful access key from a list of strings 12 | filter = ( 13 | keyList: 14 | if (hasLawfulAccess && config.services.openssh.lawful-access.enable) then 15 | builtins.filter (i: i != config.services.openssh.lawful-access.publicKey) keyList 16 | else 17 | keyList 18 | ); 19 | } 20 | -------------------------------------------------------------------------------- /modules/sshd/certs/dan-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIKmG64oaD+1+8EQ3DGTWrRnlWLlexn4EwUyNc+n8o5ToAAAAIOpFka8+cr1lvC0bzMqdqP1RRIvnD+nb3Mog56hGGkB5AAAAAAAAAAAAAAACAAAAA2RhbgAAAEcAAAAFZGFuLnIAAAARZGFuLmRzZS5pbi50dW0uZGUAAAASZGFuLmRvcy5jaXQudHVtLmRlAAAAD2Rhbi50aGFsaGVpbS5pbwAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIPcaLmompPPzIxv0e3ev3ywkinHZ38bAaRD8JA/s2Zz6AAAAUwAAAAtzc2gtZWQyNTUxOQAAAEC13AeKZU+eEVzeLGyZdqA7yjxfR847ePS1UcLayCuEDyIm+uI2dfEuujRdl+lWrg+8pyInJL3xpORhpI/TZ8ID root@nixos 2 | -------------------------------------------------------------------------------- /modules/elasticsearch.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | lib, 4 | pkgs, 5 | ... 6 | }: 7 | with lib; 8 | { 9 | config = { 10 | services.elasticsearch = { 11 | enable = true; 12 | dataDir = "/scratch/lan/es_home"; 13 | extraConf = '' 14 | xpack.security.enabled: false 15 | ''; 16 | }; 17 | environment.systemPackages = with pkgs; [ 18 | elasticsearch 19 | jdk 20 | ]; 21 | }; 22 | } 23 | # setup with ES_HOME = /scratch/lan/es_home 24 | # then sudo ln -s $(nix eval --raw nixpkgs#jdk)/* /scratch/lan/es_home/jdk/ 25 | -------------------------------------------------------------------------------- /modules/sshd/certs/ace-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIIdqodj6Nx9sx9uOgXihswRQIWhGpZFJ2mx16Ifcx6C0AAAAIG/478QilBXJpC3l3FPR8Zcus0Wl7Nc1Kn3gziPcfxImAAAAAAAAAAAAAAACAAAAA2FjZQAAAEcAAAAFYWNlLnIAAAARYWNlLmRzZS5pbi50dW0uZGUAAAASYWNlLmRvcy5jaXQudHVtLmRlAAAAD2FjZS50aGFsaGVpbS5pbwAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIPcaLmompPPzIxv0e3ev3ywkinHZ38bAaRD8JA/s2Zz6AAAAUwAAAAtzc2gtZWQyNTUxOQAAAECXwnB02OroBuQ5IxrWaM+g6irnxGaOMQU2a6wal2bQhRMrgH4sZWQ68mtdo5T3xZZk/lqHoKrHa9HRcUQQIcMN host key for host ace 2 | -------------------------------------------------------------------------------- /modules/sshd/certs/bill-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIKpPiuYlr7PFvjSzX4Az+gS+u72w55/X21HiyXXgKwQxAAAAIGurhMZktK5kPgxj8GVPEhjH5aa/ZXrG/FjXnWOIjNrSAAAAAAAAAAAAAAACAAAABGJpbGwAAABLAAAABmJpbGwucgAAABJiaWxsLmRzZS5pbi50dW0uZGUAAAATYmlsbC5kb3MuY2l0LnR1bS5kZQAAABBiaWxsLnRoYWxoZWltLmlvAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAg9xouaiak8/MjG/R7d6/fLCSKcdnfxsBpEPwkD+zZnPoAAABTAAAAC3NzaC1lZDI1NTE5AAAAQLKqgFemnjkyKXCAd3zhA/Uw1uDCzg5bUInf+5GyONydEPUYasEy5ICxSh1EMmgOl3IxXD8tOhsXW5Uk3qkN4wg= root@nixos 2 | -------------------------------------------------------------------------------- /modules/sshd/certs/ian-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAICx9xML7AzaZN1QlrCauJQyDO9HoJ35JZhW1YiIxsnacAAAAIIp5BHKzvM/sy4BAWeojZjkUH2vfuYDl+Wlft4GoTUUbAAAAAAAAAAAAAAACAAAAA2lhbgAAAEcAAAAFaWFuLnIAAAARaWFuLmRzZS5pbi50dW0uZGUAAAASaWFuLmRvcy5jaXQudHVtLmRlAAAAD2lhbi50aGFsaGVpbS5pbwAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIPcaLmompPPzIxv0e3ev3ywkinHZ38bAaRD8JA/s2Zz6AAAAUwAAAAtzc2gtZWQyNTUxOQAAAEDw7HyQLYruiK1RqNdDHpFiRGg1U9YlkqMyAQJopXee5ig0lR7pnpN/uwR6V33Y188yOrtULObqcjsxdjTXgNIA host key for host ian 2 | -------------------------------------------------------------------------------- /modules/sshd/certs/jack-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIER2ZzA90Krt5SSsfoO2tDNUegWzgAsH/YVhQ9Z9XJ9EAAAAID9FifDRdXMeMiSpfzQ4GzMhYCgRV0hNgXkpizgKSDBeAAAAAAAAAAAAAAACAAAABGphY2sAAABLAAAABmphY2sucgAAABJqYWNrLmRzZS5pbi50dW0uZGUAAAATamFjay5kb3MuY2l0LnR1bS5kZQAAABBqYWNrLnRoYWxoZWltLmlvAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAg9xouaiak8/MjG/R7d6/fLCSKcdnfxsBpEPwkD+zZnPoAAABTAAAAC3NzaC1lZDI1NTE5AAAAQFJwuT8ekSoHBPvf3xkkmiSXGVzHpeOhPq40L+Y52LRARCw+0cW2/Iev1ntJLlEL86s21tSP4DfXKceOXvjrOg4= root@nixos 2 | -------------------------------------------------------------------------------- /modules/sshd/certs/joy-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIKZPFMN5KiQIfOECUGGGDUmnJTXaoiCsu5hfe55VUTNjAAAAIJLZEGrXZr300I3+3ypLoPMA5mho+Qm4OQkmVd9k59OQAAAAAAAAAAAAAAACAAAAA2pveQAAAEcAAAAFam95LnIAAAARam95LmRzZS5pbi50dW0uZGUAAAASam95LmRvcy5jaXQudHVtLmRlAAAAD2pveS50aGFsaGVpbS5pbwAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIPcaLmompPPzIxv0e3ev3ywkinHZ38bAaRD8JA/s2Zz6AAAAUwAAAAtzc2gtZWQyNTUxOQAAAEDXsLCuMbPmVCixJaIIu5EYToGfIDIjZfCVJklcbUCioHBXB2IR+rqZ4yd5R0nEV60Iipl6nXoEIkC+k/Rf+KwE host key for host joy 2 | -------------------------------------------------------------------------------- /modules/sshd/certs/rose-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIBqLhCLTMnjFGONZzOPcpiTF7ojUYvgYfOlfnIBHLOLJAAAAIGXKWTYVfN/MPqNaypMktG50H5x4Aqs5Fdlv0bUhzii7AAAAAAAAAAAAAAACAAAABHJvc2UAAABLAAAABnJvc2UucgAAABJyb3NlLmRzZS5pbi50dW0uZGUAAAATcm9zZS5kb3MuY2l0LnR1bS5kZQAAABByb3NlLnRoYWxoZWltLmlvAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAg9xouaiak8/MjG/R7d6/fLCSKcdnfxsBpEPwkD+zZnPoAAABTAAAAC3NzaC1lZDI1NTE5AAAAQE6jHRHndwT++efrkNsrSNj3B8CCVcZCam+GNoGbb+/5VryAQjfG1JUFkjMMZZ8q77iiXgVLwGlKoEGyhpe5BwQ= patrick@T14s 2 | -------------------------------------------------------------------------------- /docs/DNSMASQ.md: -------------------------------------------------------------------------------- 1 | # NixOS direct connection with DHCP 2 | 3 | You can include the [dnsmasq.nix](https://github.com/Mic92/dotfiles/blob/ddbb973b1243a3de35943d790f48dd0f0815d2d8/nixos/modules/dnsmasq.nix) module into your NixOS config. 4 | 5 | Activate DHCP on some port: 6 | 7 | ``` 8 | sudo nmcli device set eth0 managed no 9 | sudo ip l set eth0 master internal 10 | journalctl -f -u dnsmasq 11 | ``` 12 | 13 | and deactivate it when connecting to another network again: 14 | 15 | ``` 16 | sudo ip link set eth0 nomaster 17 | sudo nmcli device set eth0 managed yes 18 | ``` 19 | -------------------------------------------------------------------------------- /hosts/river.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ../modules/hardware/supermicro-x12spw-tf.nix 4 | ../modules/nfs/client.nix 5 | ../modules/dax.nix # just to disable PM as RAM 6 | ../modules/dpdk.nix 7 | ../modules/vfio/iommu-intel.nix 8 | ../modules/linux-ioregionfd.nix 9 | ]; 10 | 11 | boot.hugepages1GB.number = 8; 12 | boot.hugepages2MB.number = 13 | let 14 | gb = 100; 15 | in 16 | gb * 1024 / 2; 17 | 18 | networking.hostName = "river"; 19 | 20 | simd.arch = "icelake-server"; 21 | 22 | system.stateVersion = "21.11"; 23 | } 24 | -------------------------------------------------------------------------------- /modules/sshd/certs/amy-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIKh0Eo+Hn1jbwIr1syNjphHbTiO/0SUMcET720d4922DAAAAIE5dCr+dS9eqX1bhTSjUdc3OSI7nzDNYeN8k5cacf/+lAAAAAAAAAAAAAAACAAAAA2FteQAAAEcAAAAFYW15LnIAAAARYW15LmRzZS5pbi50dW0uZGUAAAASYW15LmRvcy5jaXQudHVtLmRlAAAAD2FteS50aGFsaGVpbS5pbwAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIPcaLmompPPzIxv0e3ev3ywkinHZ38bAaRD8JA/s2Zz6AAAAUwAAAAtzc2gtZWQyNTUxOQAAAEAez8garcvrRLRgARxeAWlbY0mMSJTe0B6u3kpmNNcbVi/0eOUGSpOgegctfAjJxUki+w3e73X93P9Env8ZiDcP root@nixos-pxe-9d131737 2 | -------------------------------------------------------------------------------- /modules/sshd/certs/river-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIPPFZ03puheeQkRvBeJIzEEZ6ndmGAvzp7D9umyfuMt6AAAAINjwhqXMVjoYNv65Bo0KMaARpkoDPA4/KADJaKN2stqMAAAAAAAAAAAAAAACAAAABXJpdmVyAAAATwAAAAdyaXZlci5yAAAAE3JpdmVyLmRzZS5pbi50dW0uZGUAAAAUcml2ZXIuZG9zLmNpdC50dW0uZGUAAAARcml2ZXIudGhhbGhlaW0uaW8AAAAAAAAAAP//////////AAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACD3Gi5qJqTz8yMb9Ht3r98sJIpx2d/GwGkQ/CQP7Nmc+gAAAFMAAAALc3NoLWVkMjU1MTkAAABAGoHlPpBoCu6q12MyC35KgXLHfORA342X3k1zOQIDr0ndWWiF+Xoz20t0j2D7EgseJ4BWuZL6LksILB9D5sugAA== root@nixos 2 | -------------------------------------------------------------------------------- /modules/sshd/certs/ruby-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIPDXc9KAMfa4vX5EXBogqyXa975Km3IJZGU4MZDgAsjIAAAAIKnH6O5+lFErmQMCNT4SWEBgTWckKObzALdgPetE8cHBAAAAAAAAAAAAAAACAAAABHJ1YnkAAABLAAAABnJ1YnkucgAAABJydWJ5LmRzZS5pbi50dW0uZGUAAAATcnVieS5kb3MuY2l0LnR1bS5kZQAAABBydWJ5LnRoYWxoZWltLmlvAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAg9xouaiak8/MjG/R7d6/fLCSKcdnfxsBpEPwkD+zZnPoAAABTAAAAC3NzaC1lZDI1NTE5AAAAQLcl44UJYQWoW5qzde6dmZJfaER6Od+bee81jg6Y0rhqH+6ayOsXmu706V6GSVqpWpfQaZinWQ6K0Tx6RqgxPQI= host key for host ruby 2 | -------------------------------------------------------------------------------- /modules/sshd/certs/ryan-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAINxbXk7K/PqHv3xp6P90KKkf4wL7UnNKj1qTBgL6wgRaAAAAIDRzhhrr4i19+pAqifNbxbVKTL5m1dBn/+bQTxX/5HjsAAAAAAAAAAAAAAACAAAABHJ5YW4AAABLAAAABnJ5YW4ucgAAABJyeWFuLmRzZS5pbi50dW0uZGUAAAATcnlhbi5kb3MuY2l0LnR1bS5kZQAAABByeWFuLnRoYWxoZWltLmlvAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAg9xouaiak8/MjG/R7d6/fLCSKcdnfxsBpEPwkD+zZnPoAAABTAAAAC3NzaC1lZDI1NTE5AAAAQDtbCD62jYbi4Uep8LKZ8rS9YjpTX7W0bjfz5h9UwZCCyu0ofrVXo67c8b2gtuCgzc8bT1dFt2rN2vtSmhjzywo= host key for host ryan 2 | -------------------------------------------------------------------------------- /modules/hardware/supermicro-X12SCZ-TLN4F.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | modulesPath, 4 | ... 5 | }: 6 | { 7 | imports = [ "${modulesPath}/installer/scan/not-detected.nix" ]; 8 | 9 | boot.initrd.availableKernelModules = [ 10 | "xhci_pci" 11 | "ahci" 12 | "nvme" 13 | "usbhid" 14 | "usb_storage" 15 | "sd_mod" 16 | ]; 17 | boot.initrd.kernelModules = [ ]; 18 | boot.kernelModules = [ "kvm-intel" ]; 19 | boot.extraModulePackages = [ ]; 20 | 21 | 22 | swapDevices = [ ]; 23 | 24 | powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; 25 | } 26 | -------------------------------------------------------------------------------- /modules/k3s/agent.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | { 3 | imports = [ ./. ]; 4 | # When initializing a cluster from scratch also copy /etc/rancher/k3s/k3s.yaml 5 | # from the master to the https://github.com/ls1-courses/internal-docs/tree/main/runner 6 | 7 | services.k3s.role = "agent"; 8 | services.k3s.serverAddr = lib.mkDefault "https://${config.networking.doctorwho.hosts.astrid.ipv4}:6443"; 9 | services.k3s.extraFlags = "--node-ip ${config.networking.doctorwho.currentHost.ipv4} --snapshotter=zfs --container-runtime-endpoint unix:///run/containerd/containerd.sock"; 10 | } 11 | -------------------------------------------------------------------------------- /modules/sshd/certs/astrid-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIIaeB45xUQWxTa34Iqy3DxGbUCvHY9j1fxN8DdvFR3ddAAAAIGBL/QcJh8DG81P8ziAe57rMaBDliyjlFTjH/0xI3uzzAAAAAAAAAAAAAAACAAAABmFzdHJpZAAAAFMAAAAIYXN0cmlkLnIAAAAUYXN0cmlkLmRzZS5pbi50dW0uZGUAAAAVYXN0cmlkLmRvcy5jaXQudHVtLmRlAAAAEmFzdHJpZC50aGFsaGVpbS5pbwAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIPcaLmompPPzIxv0e3ev3ywkinHZ38bAaRD8JA/s2Zz6AAAAUwAAAAtzc2gtZWQyNTUxOQAAAEAFUshd36L0yacW0qyAfb/SHfWcB5sZrNsEAs9yt9rl7V1wvPYF65y8xE/Lc17XPizs7Wr1XXrljv2y4mA9AMgO root@nixos 2 | -------------------------------------------------------------------------------- /modules/sshd/certs/graham-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIF3t6Ka9pIYGWK1VQSQfM4rD57+Qi77G503eEumTtXZsAAAAIMhxrYxHNgOvaLH6fVGNG3F8/TNDP1xqUXymQBykV4b0AAAAAAAAAAAAAAACAAAABmdyYWhhbQAAAFMAAAAIZ3JhaGFtLnIAAAAUZ3JhaGFtLmRzZS5pbi50dW0uZGUAAAAVZ3JhaGFtLmRvcy5jaXQudHVtLmRlAAAAEmdyYWhhbS50aGFsaGVpbS5pbwAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIPcaLmompPPzIxv0e3ev3ywkinHZ38bAaRD8JA/s2Zz6AAAAUwAAAAtzc2gtZWQyNTUxOQAAAEC291Y622aD1ilfHzL0zsv5V0lUxJMaT6dmDXj4jIjxYi4COEO6Ltl/hOepDolqxwdP97Lo8YtO1eGrPQ2NEowF root@nixos 2 | -------------------------------------------------------------------------------- /modules/sshd/certs/mickey-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIC6DZ+ZlL3aA/IWS5A3AHLYMhtKrEezC1CSl+DEVvDGTAAAAICF4STFVYFLpvpxzRzi1d9bFp3ttqDHo8k0L12WHD2FXAAAAAAAAAAAAAAACAAAABm1pY2tleQAAAFMAAAAIbWlja2V5LnIAAAAUbWlja2V5LmRzZS5pbi50dW0uZGUAAAAVbWlja2V5LmRvcy5jaXQudHVtLmRlAAAAEm1pY2tleS50aGFsaGVpbS5pbwAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIPcaLmompPPzIxv0e3ev3ywkinHZ38bAaRD8JA/s2Zz6AAAAUwAAAAtzc2gtZWQyNTUxOQAAAEBA3nFAMNH2izj7bluDQh+iOYofDJlQXLpf+LuuNHMb+Di5nX5gF9l6XNcufwb406oPWxsbx+MmEUa+4upDzeMP root@mickey 2 | -------------------------------------------------------------------------------- /modules/sshd/certs/yasmin-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIKrXB721uJ8Tyq3ExA5MPAUs4OtRuajvPjl9r9cOcHUTAAAAICJASI41wh4nEfid8h2mvXT0jLHQKem1KKvCFoHGuV8sAAAAAAAAAAAAAAACAAAABnlhc21pbgAAAFMAAAAIeWFzbWluLnIAAAAUeWFzbWluLmRzZS5pbi50dW0uZGUAAAAVeWFzbWluLmRvcy5jaXQudHVtLmRlAAAAEnlhc21pbi50aGFsaGVpbS5pbwAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIPcaLmompPPzIxv0e3ev3ywkinHZ38bAaRD8JA/s2Zz6AAAAUwAAAAtzc2gtZWQyNTUxOQAAAEBnm3x7u3V0VBGstw9J0IcBFgYgeu9IEe+8k6a4rZ3I5bibgl2H8MVXpkzm89jzu86eH842gRu4LfQtvcUCRKgA root@nixos 2 | -------------------------------------------------------------------------------- /modules/sshd/certs/donna-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAILWf2vIu/B5U2c/g4KR7gObEtA2m7WaEL2jgVNb/bfgQAAAAIM+ATxsFLHl5XdKvanyzvZhzjehyxIR+FNYy7kDun2ClAAAAAAAAAAAAAAACAAAABWRvbm5hAAAATwAAAAdkb25uYS5yAAAAE2Rvbm5hLmRzZS5pbi50dW0uZGUAAAAUZG9ubmEuZG9zLmNpdC50dW0uZGUAAAARZG9ubmEudGhhbGhlaW0uaW8AAAAAAAAAAP//////////AAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACD3Gi5qJqTz8yMb9Ht3r98sJIpx2d/GwGkQ/CQP7Nmc+gAAAFMAAAALc3NoLWVkMjU1MTkAAABALw/T2i/M1OYPmzTJF/1MRBK4zw35tm9ykmaL4ZeRFJnXSQ9xTuYDF8CxGFgmphFBUmgXdGoqh/SuwnlBmuJCBQ== host key for host donna 2 | -------------------------------------------------------------------------------- /modules/sshd/certs/eliza-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIKSX6L6z8I4p3yhFAmbIcvHu0DYrMAD86eDRuYoZUv/QAAAAIEGfNuxGzId+rnIsIqTHzuBSDJSTSPKx/TXSbMhkUKosAAAAAAAAAAAAAAACAAAABWVsaXphAAAATwAAAAdlbGl6YS5yAAAAE2VsaXphLmRzZS5pbi50dW0uZGUAAAAUZWxpemEuZG9zLmNpdC50dW0uZGUAAAARZWxpemEudGhhbGhlaW0uaW8AAAAAAAAAAP//////////AAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACD3Gi5qJqTz8yMb9Ht3r98sJIpx2d/GwGkQ/CQP7Nmc+gAAAFMAAAALc3NoLWVkMjU1MTkAAABAHvjCPiA8hJlOpHbDPkpgj4Fv7NtYtU7KcFALJhvMNQ5y2gw22XIHGNQMC7arln3sS7TeuvWAZ0XerozV0azSDA== host key for host eliza 2 | -------------------------------------------------------------------------------- /modules/sshd/certs/irene-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIBUZaJzJfn6mCzZFoaLH0LwiiqHFWDklgDHaovCI3gKmAAAAIPdvhSyH2a4OJRS9dXL92XF3xCdpvdNbHBhTYBXIFYa/AAAAAAAAAAAAAAACAAAABWlyZW5lAAAATwAAAAdpcmVuZS5yAAAAE2lyZW5lLmRzZS5pbi50dW0uZGUAAAAUaXJlbmUuZG9zLmNpdC50dW0uZGUAAAARaXJlbmUudGhhbGhlaW0uaW8AAAAAAAAAAP//////////AAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACD3Gi5qJqTz8yMb9Ht3r98sJIpx2d/GwGkQ/CQP7Nmc+gAAAFMAAAALc3NoLWVkMjU1MTkAAABAFMJLL9kQ0RLrECCm1v1tVyxn/t8AWCeImQHGoiYBPWxLc24ZJbYeRonvac1u847qIvWS45enf/l99B4bDF7CAg== host key for host irene 2 | -------------------------------------------------------------------------------- /modules/sshd/certs/jackson-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIBfsCKiY2PvD13rkeDvirVMsHvdvlEMwPDkU+UyqfUf3AAAAILi+n28LFdB6rvgipYldMvgYM/xdV8Oqxe8sRlf4QOY9AAAAAAAAAAAAAAACAAAAB2phY2tzb24AAABXAAAACWphY2tzb24ucgAAABVqYWNrc29uLmRzZS5pbi50dW0uZGUAAAAWamFja3Nvbi5kb3MuY2l0LnR1bS5kZQAAABNqYWNrc29uLnRoYWxoZWltLmlvAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAg9xouaiak8/MjG/R7d6/fLCSKcdnfxsBpEPwkD+zZnPoAAABTAAAAC3NzaC1lZDI1NTE5AAAAQGY/2scxypAlfCBQ6I070Wf7x2znepJVzXMROPVzaa34xAgoHsXD0RFEzj7SC6kqVleXvYvguHdjx8HAwEZXpwc= root@nixos 2 | -------------------------------------------------------------------------------- /modules/sshd/certs/jamie-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIIAMLLQcEkDJSlx+/boIUqObn6GrMb1LwtAne+c2AfRiAAAAINSYoLC3WAAne7xAqNtaEhi5G8sbSJTqWI5MEFEL36r/AAAAAAAAAAAAAAACAAAABWphbWllAAAATwAAAAdqYW1pZS5yAAAAE2phbWllLmRzZS5pbi50dW0uZGUAAAAUamFtaWUuZG9zLmNpdC50dW0uZGUAAAARamFtaWUudGhhbGhlaW0uaW8AAAAAAAAAAP//////////AAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACD3Gi5qJqTz8yMb9Ht3r98sJIpx2d/GwGkQ/CQP7Nmc+gAAAFMAAAALc3NoLWVkMjU1MTkAAABAJmiIlFeRu6emuKZGtBIlkFFQF8sl+dJxf18nlLWBJ69upQh6gfC1hLSUMvZ565jebTWZku8eXQS5xQl1JhyrCg== host key for host jamie 2 | -------------------------------------------------------------------------------- /modules/sshd/certs/login-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIL7odaeDSWaHIg6e+RbL3l2YBHwm3PZ4duOvxK2TPtQ9AAAAIOdlUylM9WIFfIYZDK8rjVYQzX+RYwIlLgsEh4j0pNx6AAAAAAAAAAAAAAACAAAAFGxvZ2luLmRvcy5jaXQudHVtLmRlAAAAQQAAAAVsb2dpbgAAAAVsb2dpbgAAABRsb2dpbi5kb3MuY2l0LnR1bS5kZQAAABNsb2dpbi5kc2UuaW4udHVtLmRlAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAg9xouaiak8/MjG/R7d6/fLCSKcdnfxsBpEPwkD+zZnPoAAABTAAAAC3NzaC1lZDI1NTE5AAAAQNvKUfzSOECpQIBhViaWWGfAHeYrw4gYDJ8R5p4X5PZWpsZVBR4CmnNDJ/Gr5YS0TtGDJYeJHq2eHJ5fQmEPEgM= login.dos.cit.tum.de.pub 2 | -------------------------------------------------------------------------------- /modules/sshd/certs/nardole-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAILMQgx0S1OihNAhPO7Xtis3uCkW8ySQNmSTIF8P70nPvAAAAICxBbS6tbc4KuS7sg/6py87kNhuI1s/sE1FtJpdQjzWJAAAAAAAAAAAAAAACAAAAB25hcmRvbGUAAABXAAAACW5hcmRvbGUucgAAABVuYXJkb2xlLmRzZS5pbi50dW0uZGUAAAAWbmFyZG9sZS5kb3MuY2l0LnR1bS5kZQAAABNuYXJkb2xlLnRoYWxoZWltLmlvAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAg9xouaiak8/MjG/R7d6/fLCSKcdnfxsBpEPwkD+zZnPoAAABTAAAAC3NzaC1lZDI1NTE5AAAAQAPPLQviz2EPvAPgOnrt+Cn/8U9Vd1H+kfBkzWuYxytQaQPC5j3zE73C/HgvNv6fLW0Tel/M7ZZEgY6c5TCI4Qs= root@nixos 2 | -------------------------------------------------------------------------------- /modules/sshd/certs/tegan-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIL/jVYU/DkgxJzVWv4tvphETDpsN5ED0/FIjCl0/KeTWAAAAIDX892b6hLJEYB4mU/Ws8UfzgnbTH+Qj+7alf06GQgK6AAAAAAAAAAAAAAACAAAABXRlZ2FuAAAATwAAAAd0ZWdhbi5yAAAAE3RlZ2FuLmRzZS5pbi50dW0uZGUAAAAUdGVnYW4uZG9zLmNpdC50dW0uZGUAAAARdGVnYW4udGhhbGhlaW0uaW8AAAAAAAAAAP//////////AAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACD3Gi5qJqTz8yMb9Ht3r98sJIpx2d/GwGkQ/CQP7Nmc+gAAAFMAAAALc3NoLWVkMjU1MTkAAABA/ObjWwaKgt0m31r7w+XZgVtDFteZIOgQfaY+mXwCX2VfJT+uCAtF+BSySXi0BxbGZ6yxWp7Vj0dYURDrojd8DA== host key for host tegan 2 | -------------------------------------------------------------------------------- /modules/sshd/certs/vicki-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIJkI3R3yt8l64LTzRCxzVTkvstWFRaNLMo0qCX7cp2d5AAAAIEMnpBFJVZPo+ECt0Aq8LVKwR2qbpTREmCUE8IcxZncpAAAAAAAAAAAAAAACAAAABXZpY2tpAAAATwAAAAd2aWNraS5yAAAAE3ZpY2tpLmRzZS5pbi50dW0uZGUAAAAUdmlja2kuZG9zLmNpdC50dW0uZGUAAAARdmlja2kudGhhbGhlaW0uaW8AAAAAAAAAAP//////////AAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACD3Gi5qJqTz8yMb9Ht3r98sJIpx2d/GwGkQ/CQP7Nmc+gAAAFMAAAALc3NoLWVkMjU1MTkAAABAxX/oDZpHQBWz1s2318VlqvnWkB14EWlD7NILtRMRgPZAOijyr6raCnP7xZWDXsGMA6pKvxHTjqEWDlon6Hy4Dg== host key for host vicki 2 | -------------------------------------------------------------------------------- /modules/sshd/certs/wilfred-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIOVtxUM9DX/5D5HJtIr3RjepIB/43xjmqdK0KoMgWf5BAAAAIBqoLBbvSN/QNI6sKQm2sNR/7FVFUOTPnKJuqEfnFWtMAAAAAAAAAAAAAAACAAAAB3dpbGZyZWQAAABXAAAACXdpbGZyZWQucgAAABV3aWxmcmVkLmRzZS5pbi50dW0uZGUAAAAWd2lsZnJlZC5kb3MuY2l0LnR1bS5kZQAAABN3aWxmcmVkLnRoYWxoZWltLmlvAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAg9xouaiak8/MjG/R7d6/fLCSKcdnfxsBpEPwkD+zZnPoAAABTAAAAC3NzaC1lZDI1NTE5AAAAQAeO5yCxuYYIf0ySlSUlXqbY3ZoIW0Jx4Rkpv3E+DTjc83kysFlB9Nh+UBjnTLgOM7HnseBWM0UXt2PXGFdXUgw= root@nixos 2 | -------------------------------------------------------------------------------- /modules/sshd/certs/martha-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIK/5KfPN+fipVdYvJ+16Ad3KSDb82pDFC2IsMAGQP5/4AAAAIHPa0qwYwfUp2M+bg74403ldMBJS9V8g/tU8LWVOlh5nAAAAAAAAAAAAAAACAAAABm1hcnRoYQAAAFMAAAAIbWFydGhhLnIAAAAUbWFydGhhLmRzZS5pbi50dW0uZGUAAAAVbWFydGhhLmRvcy5jaXQudHVtLmRlAAAAEm1hcnRoYS50aGFsaGVpbS5pbwAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIPcaLmompPPzIxv0e3ev3ywkinHZ38bAaRD8JA/s2Zz6AAAAUwAAAAtzc2gtZWQyNTUxOQAAAEAn7ngzn41qtIe1WyzAvMEVgrmM1zZp5Cb7xjxhTEZwhNNBGQ1TR7z9hZAlGtlxmjcFG9KjddONmOJMEXiUdB0L host key for host martha 2 | -------------------------------------------------------------------------------- /modules/sshd/certs/vislor-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIKSUiH9Gk822DU5OIhBUYS5xvPdBIEMxmfHHPYbe6w/qAAAAIBFKh4D5rTKnC8Jmhuj1SA7a82IG642dXmk38wYdP/lDAAAAAAAAAAAAAAACAAAABnZpc2xvcgAAAFMAAAAIdmlzbG9yLnIAAAAUdmlzbG9yLmRzZS5pbi50dW0uZGUAAAAVdmlzbG9yLmRvcy5jaXQudHVtLmRlAAAAEnZpc2xvci50aGFsaGVpbS5pbwAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIPcaLmompPPzIxv0e3ev3ywkinHZ38bAaRD8JA/s2Zz6AAAAUwAAAAtzc2gtZWQyNTUxOQAAAEDUcdYXCZVu9rS8J1+SnA5eszcQwREh9sbF2nqCJLusGn+YxgvI2NJ2fMMH/HqtwmRP4O2fRzIcfhosbQ46k6UF host key for host vislor 2 | -------------------------------------------------------------------------------- /modules/sshd/certs/xavier-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIOy3vi4v9QWfCqENEap6tsHY0LLYJ2KA+I5Ju6m1Dpv6AAAAIE+E9Tf0Mw6INVNL853R54cslr3yhvdYnUlopyIlohk4AAAAAAAAAAAAAAACAAAABnhhdmllcgAAAFMAAAAIeGF2aWVyLnIAAAAUeGF2aWVyLmRzZS5pbi50dW0uZGUAAAAVeGF2aWVyLmRvcy5jaXQudHVtLmRlAAAAEnhhdmllci50aGFsaGVpbS5pbwAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIPcaLmompPPzIxv0e3ev3ywkinHZ38bAaRD8JA/s2Zz6AAAAUwAAAAtzc2gtZWQyNTUxOQAAAEBJdknEbSvuhH9MBOLeeSB9m1CzQETZf7yMkCnxit7I7FDejNfO5fmjmG5pWNevy7sIuWj7UvcBRaMR//diMukC host key for host xavier 2 | -------------------------------------------------------------------------------- /modules/intel_tdx.nix: -------------------------------------------------------------------------------- 1 | { pkgs, lib, ... }: 2 | let 3 | linux = pkgs.callPackage ../pkgs/kernels/linux-tdx.nix { }; 4 | linuxPackages = pkgs.recurseIntoAttrs (pkgs.linuxPackagesFor linux); 5 | in 6 | { 7 | # Configuration for Intel TDX 8 | 9 | boot.kernelPackages = lib.mkForce linuxPackages; 10 | boot.zfs.package = pkgs.zfsUnstable; # needed for 6.9 11 | 12 | boot.kernelParams = [ 13 | "kvm_intel.tdx=1" 14 | # TDX cannot survive from S3 and deeper states 15 | "nohibernate" 16 | ]; 17 | 18 | # enable libvirtd service 19 | virtualisation.libvirtd.enable = true; 20 | } 21 | -------------------------------------------------------------------------------- /modules/nfs/default.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | { 3 | options = { 4 | services.nfs-server.interface = lib.mkOption { 5 | type = lib.types.str; 6 | example = "enp94s0f0np0"; 7 | description = "The network interface to bind the nfs server to."; 8 | }; 9 | }; 10 | config = { 11 | networking.extraHosts = '' 12 | 2a09:80c0:102::f000:0 nfs 13 | 2a09:80c0:102::f000:1 nfs-backup 14 | ''; 15 | # breaks NFS :( 16 | # services.rpcbind.enable = lib.mkForce false; # rpcbind is not needed for our NFSv4 but can be used for DDoS amplification 17 | }; 18 | } 19 | -------------------------------------------------------------------------------- /modules/sshd/certs/adelaide-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIJsz0dixyPoRWatt6pkVwU99aNlkSNKmDLg+Yn6TMt1fAAAAIMxbk2d+x6p8VGsielLKspIWtZoTtkwY59SkH3wys1byAAAAAAAAAAAAAAACAAAACGFkZWxhaWRlAAAAWwAAAAphZGVsYWlkZS5yAAAAFmFkZWxhaWRlLmRzZS5pbi50dW0uZGUAAAAXYWRlbGFpZGUuZG9zLmNpdC50dW0uZGUAAAAUYWRlbGFpZGUudGhhbGhlaW0uaW8AAAAAAAAAAP//////////AAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACD3Gi5qJqTz8yMb9Ht3r98sJIpx2d/GwGkQ/CQP7Nmc+gAAAFMAAAALc3NoLWVkMjU1MTkAAABA4s1v/dgcO5BD4sk7HzAdybbhkjHjn8PF4xjsmPwsfQx0rIjTiGYUzFyipUVHsCI5YrklUvDLtzRtPPUgI85sCA== root@nixos 2 | -------------------------------------------------------------------------------- /modules/sshd/certs/christina-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIDjgFnZfWi8g5zl81jvQPcqzUVB5twcvKYeTCaQeUvd4AAAAICCkQk6QF2O90lVkKf1l2oOmkWLA+gmUYQwIb5MBaBtEAAAAAAAAAAAAAAACAAAACWNocmlzdGluYQAAAF8AAAALY2hyaXN0aW5hLnIAAAAXY2hyaXN0aW5hLmRzZS5pbi50dW0uZGUAAAAYY2hyaXN0aW5hLmRvcy5jaXQudHVtLmRlAAAAFWNocmlzdGluYS50aGFsaGVpbS5pbwAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIPcaLmompPPzIxv0e3ev3ywkinHZ38bAaRD8JA/s2Zz6AAAAUwAAAAtzc2gtZWQyNTUxOQAAAEBNS5/5szZ8nRslkaqEZZwpD/XOIciPVCuID9iO5idUl6zumi2wbUQmNnHMqyeIIsuEQR/fQ9EMCZza4jKAV0wE root@nixos 2 | -------------------------------------------------------------------------------- /modules/netboot/dhcpd.conf: -------------------------------------------------------------------------------- 1 | # test setup to test our university network environment 2 | option domain-name "example.com"; 3 | option domain-name-servers 8.8.8.8; 4 | option subnet-mask 255.255.255.0; 5 | default-lease-time 600; 6 | max-lease-time 7200; 7 | server-name "test"; 8 | 9 | # assumes we assigned 192.168.122.1/24 to our VM bridge 10 | subnet 192.168.122.0 netmask 255.255.255.0 { 11 | range 192.168.122.200 192.168.122.253; 12 | option routers 192.168.122.1; 13 | } 14 | 15 | filename "nixos.img"; 16 | # assumes we assigned 129.215.165.108/32 to our VM bridge 17 | next-server 129.215.165.108; 18 | -------------------------------------------------------------------------------- /modules/sshd/certs/clara-cert.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAICfPdk/HlynJOR1272YlQ2KY3e2ncydTGrCGh8Fc/w9JAAAAIMECC16rQiFIrf0I0/pSJqnfRkTzlGS1+ULtoKbMaUizAAAAAAAAAAAAAAACAAAABWNsYXJhAAAATwAAAAdjbGFyYS5yAAAAE2NsYXJhLmRzZS5pbi50dW0uZGUAAAAUY2xhcmEuZG9zLmNpdC50dW0uZGUAAAARY2xhcmEudGhhbGhlaW0uaW8AAAAAAAAAAP//////////AAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACD3Gi5qJqTz8yMb9Ht3r98sJIpx2d/GwGkQ/CQP7Nmc+gAAAFMAAAALc3NoLWVkMjU1MTkAAABA52o0IaxXCTmI4Uw6GcMf/g/ccqIbdigr7DQj708EKt1VLeL79JrmcrJQfOpMGRtEOJBVBHg15X/k7UwQ6DjmBQ== romano@w221-58-v4.eduroam.dynamic.rbg.tum.de 2 | -------------------------------------------------------------------------------- /modules/k3s/k3s-reset-node: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # THIS IS DANGEROUS BECAUSE IT DELETES SECRETS/CERTS e.g. in /var/lib/rancher. 3 | set -eux -o pipefail 4 | shopt -s nullglob 5 | systemctl stop k3s containerd 6 | find /sys/fs/cgroup/systemd/system.slice/containerd.service* /sys/fs/cgroup/kubepods* -name cgroup.procs -print0 | \ 7 | xargs -0 -r cat | xargs -r kill -9 8 | mount | awk '/\/var\/lib\/kubelet|\/run\/netns|\/run\/containerd/ {print $3}' | xargs -r umount 9 | zfs destroy -R zroot/containerd 10 | rm -rf /var/lib/rancher/ /var/lib/containerd /etc/rancher /run/containerd/ /var/lib/cni/ 11 | systemctl start k3s 12 | -------------------------------------------------------------------------------- /modules/tracing.nix: -------------------------------------------------------------------------------- 1 | { 2 | pkgs, 3 | config, 4 | lib, 5 | ... 6 | }: 7 | { 8 | programs.bcc.enable = !pkgs.stdenv.hostPlatform.isRiscV; 9 | programs.sysdig.enable = !pkgs.stdenv.isAarch64 && !pkgs.stdenv.hostPlatform.isRiscV; 10 | 11 | # allow perf as user 12 | boot.kernel.sysctl."kernel.perf_event_paranoid" = -1; 13 | # allow perf users to see kernel pointers 14 | boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkForce 0; 15 | 16 | environment.systemPackages = [ 17 | pkgs.strace 18 | 19 | # we want to use trace from bcc 20 | (pkgs.lowPrio config.boot.kernelPackages.perf) 21 | ]; 22 | } 23 | -------------------------------------------------------------------------------- /hosts/yasmin.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ../modules/yasmin-hardware.nix 4 | ../modules/nfs/client.nix 5 | ../modules/nfs/client.nix 6 | # TODO this no longer builds with the new kernel. 7 | #../modules/uprobes.nix 8 | ]; 9 | 10 | networking.hostName = "yasmin"; 11 | 12 | boot.kernelParams = [ 13 | "console=ttyS0,115200n8" 14 | "console=ttyAMA0,115200n8" 15 | "console=tty0" 16 | ]; 17 | 18 | system.stateVersion = "20.09"; 19 | 20 | nix.settings.system-features = [ 21 | "benchmark" 22 | "big-parallel" 23 | "kvm" 24 | "nixos-test" 25 | "armv8.1-a" 26 | ]; 27 | } 28 | -------------------------------------------------------------------------------- /modules/amd_sev_svsm.nix: -------------------------------------------------------------------------------- 1 | { pkgs, lib, ... }: 2 | let 3 | linux = pkgs.callPackage ../pkgs/kernels/linux-svsm-host.nix { }; 4 | linuxPackages = pkgs.recurseIntoAttrs (pkgs.linuxPackagesFor linux); 5 | in 6 | { 7 | # Configuration for AMD SEV-SNP with SVSM support 8 | 9 | boot.kernelPackages = lib.mkForce linuxPackages; 10 | 11 | boot.kernelParams = [ 12 | #"mem_encrypt=on" 13 | "kvm_amd.sev=1" 14 | "kvm_amd.sev_es=1" 15 | "kvm_amd.sev_snp=1" 16 | #"kvm.mmio_caching=on" 17 | "sp5100_tco.blacklist=yes" 18 | ]; 19 | 20 | # enable libvirtd service 21 | virtualisation.libvirtd.enable = true; 22 | } 23 | -------------------------------------------------------------------------------- /modules/hardware/mifcom-tower.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | lib, 4 | pkgs, 5 | modulesPath, 6 | ... 7 | }: 8 | 9 | { 10 | imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; 11 | 12 | boot.initrd.availableKernelModules = [ 13 | "vmd" 14 | "xhci_pci" 15 | "ahci" 16 | "nvme" 17 | "usbhid" 18 | ]; 19 | boot.initrd.kernelModules = [ ]; 20 | boot.kernelModules = [ "kvm-intel" ]; 21 | boot.extraModulePackages = [ ]; 22 | 23 | nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 24 | hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 25 | } 26 | -------------------------------------------------------------------------------- /hosts/ace.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | ... 4 | }: 5 | { 6 | imports = [ 7 | ../modules/hardware/morello.nix 8 | ../modules/nfs/client.nix 9 | ../modules/disko-ext4.nix 10 | ../modules/arm_morello.nix 11 | ]; 12 | 13 | networking.hostName = "ace"; 14 | 15 | simd.arch = "armv8-a"; 16 | 17 | disko.rootDisk = "/dev/disk/by-id/ata-HFS480G3H2X069N_ESC3N5648I3603P2Y"; 18 | 19 | system.stateVersion = "24.05"; 20 | 21 | boot.loader.efi.canTouchEfiVariables = lib.mkForce true; 22 | boot.loader.systemd-boot.enable = true; 23 | 24 | # docker fails to start 25 | virtualisation.docker.enable = lib.mkForce false; 26 | } 27 | -------------------------------------------------------------------------------- /hosts/adelaide.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ../modules/hardware/supermicro-x12spw-tf-disko.nix 4 | ../modules/nfs/client.nix 5 | # iommu for sebastians students 6 | ../modules/vfio/iommu-intel.nix 7 | ../modules/disko-zfs.nix 8 | ../modules/dpdk.nix 9 | ]; 10 | 11 | disko.rootDisk = "/dev/sdc"; 12 | 13 | networking.hostName = "adelaide"; 14 | 15 | simd.arch = "icelake-server"; 16 | 17 | system.stateVersion = "21.11"; 18 | 19 | boot.hugepages2MB.number = let 20 | gb = 30; 21 | in gb * 1024 / 2; 22 | systemd.network.ignorePci = [ 23 | "0000:00:1c.0" 24 | "0000:00:1c.1" 25 | ]; 26 | } 27 | -------------------------------------------------------------------------------- /terraform/modules/github-push-bot/main.tf: -------------------------------------------------------------------------------- 1 | provider "github" { 2 | alias = "owner" 3 | owner = var.org_name 4 | } 5 | 6 | provider "github" { 7 | alias = "bot" 8 | token = var.bot_github_token 9 | } 10 | 11 | data "github_user" "current" { 12 | username = "" 13 | provider = github.bot 14 | } 15 | 16 | resource "github_membership" "bot" { 17 | username = data.github_user.current.login 18 | role = "admin" 19 | provider = github.owner 20 | } 21 | 22 | output "accept_invitation" { 23 | value = "Visit https://github.com/orgs/${var.org_name}/invitation as ${data.github_user.current.login} to accept the invitation" 24 | } 25 | -------------------------------------------------------------------------------- /hosts/astrid.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ../modules/k3s/server.nix 4 | ../modules/k3s/runner-monitoring.nix 5 | ../modules/hardware/poweredge-r440.nix 6 | ../modules/disko-zfs.nix 7 | ../modules/nfs/client.nix 8 | 9 | ../modules/jumphost 10 | ../modules/buildbot/master.nix 11 | ]; 12 | 13 | disko.rootDisk = "/dev/disk/by-id/nvme-Dell_Ent_NVMe_P5600_MU_U.2_1.6TB_PHAB123301411P9SGN"; 14 | 15 | # TODO: migrate to native mountpoints 16 | disko.zfs.legacyMounts.enable = true; 17 | 18 | networking.hostName = "astrid"; 19 | 20 | simd.arch = "cascadelake"; 21 | 22 | system.stateVersion = "21.11"; 23 | } 24 | -------------------------------------------------------------------------------- /modules/hardware/poweredge7515.nix: -------------------------------------------------------------------------------- 1 | # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 | # and may be overwritten by future invocations. Please make changes 3 | # to /etc/nixos/configuration.nix instead. 4 | { modulesPath, ... }: 5 | { 6 | imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; 7 | 8 | boot.initrd.availableKernelModules = [ 9 | "megaraid_sas" 10 | "nvme" 11 | "xhci_pci" 12 | "ahci" 13 | "usb_storage" 14 | "usbhid" 15 | "sd_mod" 16 | ]; 17 | boot.initrd.kernelModules = [ ]; 18 | boot.kernelModules = [ "kvm-amd" ]; 19 | boot.extraModulePackages = [ ]; 20 | } 21 | -------------------------------------------------------------------------------- /hosts/jack.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ../modules/hardware/supermicro-120U-TNR.nix 4 | ../modules/nfs/client.nix 5 | ../modules/dax.nix 6 | ../modules/nvidia.nix 7 | ../modules/vfio/iommu-intel.nix 8 | ../modules/dpdk.nix 9 | ]; 10 | 11 | doctorwho.pmem.devices = [ 12 | "pmem0" 13 | "pmem1" 14 | ]; 15 | 16 | networking.hostName = "jack"; 17 | 18 | simd.arch = "icelake-server"; 19 | 20 | system.stateVersion = "21.11"; 21 | 22 | fileSystems."/ssd_extension" = { 23 | device = "ssd_extension/scratch"; 24 | fsType = "zfs"; 25 | }; 26 | 27 | boot.zfs.extraPools = [ "ssd_extension" ]; 28 | } 29 | -------------------------------------------------------------------------------- /modules/amd_sev_svsm_wallet.nix: -------------------------------------------------------------------------------- 1 | { pkgs, lib, ... }: 2 | let 3 | linux = pkgs.callPackage ../pkgs/kernels/linux-svsm-host-wallet.nix { }; 4 | linuxPackages = pkgs.recurseIntoAttrs (pkgs.linuxPackagesFor linux); 5 | in 6 | { 7 | # Configuration for AMD SEV-SNP with SVSM support 8 | 9 | boot.kernelPackages = lib.mkForce linuxPackages; 10 | 11 | boot.kernelParams = [ 12 | #"mem_encrypt=on" 13 | "kvm_amd.sev=1" 14 | "kvm_amd.sev_es=1" 15 | "kvm_amd.sev_snp=1" 16 | #"kvm.mmio_caching=on" 17 | "sp5100_tco.blacklist=yes" 18 | ]; 19 | 20 | # enable libvirtd service 21 | virtualisation.libvirtd.enable = true; 22 | } 23 | -------------------------------------------------------------------------------- /hosts/wilfred.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ../modules/hardware/supermicro-x12spw-tf.nix 4 | ../modules/nfs/client.nix 5 | ../modules/ci.nix 6 | ../modules/dax.nix # just to disable PM as RAM 7 | ../modules/vfio/iommu-intel.nix 8 | ../modules/dpdk.nix 9 | ]; 10 | 11 | boot.hugepages1GB.number = 8; 12 | boot.hugepages2MB.number = let 13 | gb = 30; 14 | in gb * 1024 / 2; 15 | 16 | boot.initrd.availableKernelModules = [ "nvme" ]; 17 | 18 | networking.hostName = "wilfred"; 19 | 20 | simd.arch = "icelake-server"; 21 | 22 | system.stateVersion = "21.11"; 23 | 24 | networking.doctor-bridge.enable = true; 25 | } 26 | -------------------------------------------------------------------------------- /hosts/jamie.nix: -------------------------------------------------------------------------------- 1 | 2 | { 3 | imports = [ 4 | ../modules/hardware/poweredge7625.nix 5 | ../modules/nfs/client.nix 6 | #../modules/amd_sev_snp.nix 7 | ../modules/amd_sev_svsm.nix 8 | #../modules/amd_sev_svsm_wallet.nix 9 | #../modules/nvidia.nix 10 | ../modules/vfio/iommu-amd.nix 11 | 12 | ../modules/kata-container 13 | ]; 14 | 15 | simd.arch = "znver4"; 16 | 17 | disko.rootDisk = "/dev/disk/by-id/nvme-SAMSUNG_MZQL23T8HCLS-00A07_S64HNJ0X815786"; 18 | 19 | services.ollama = { 20 | enable = true; 21 | acceleration = "cuda"; 22 | }; 23 | 24 | networking.hostName = "jamie"; 25 | 26 | system.stateVersion = "23.05"; 27 | } 28 | -------------------------------------------------------------------------------- /modules/builder.nix: -------------------------------------------------------------------------------- 1 | { 2 | users.extraUsers.nix = { 3 | isNormalUser = true; 4 | home = "/home/nix"; 5 | openssh.authorizedKeys.keys = [ 6 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF48CsASF4l2oVA9GNNi0LCd4ONOtf0zkQx1tUbhSW3S joerg@turingmachine" 7 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS4sLGbDPZ4UDT3Rhy8uAz5vduRUAr0uEvdnUBP0cm4 nix@eve" 8 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKs8JnEt7KgZBND3bHURoaxfDy3l0sMb0S07O165ySv2 doctorBuilder:peter@aenderpad" 9 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILUjGSW2CmeBZBPNjgXXxrf/vZoa4gaqlQGuKIPZx737 patrick@T14s" 10 | ]; 11 | uid = 5001; 12 | }; 13 | nix.settings.trusted-users = [ "nix" ]; 14 | } 15 | -------------------------------------------------------------------------------- /hosts/eliza.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ../modules/hardware/supermicro-ARS-211M-NR.nix 4 | ../modules/nfs/client.nix 5 | ../modules/disko-zfs.nix 6 | ../modules/buildbot/builder.nix 7 | ]; 8 | 9 | networking.hostName = "eliza"; 10 | 11 | disko.rootDisk = "/dev/disk/by-id/nvme-SAMSUNG_MZQL23T8HCLS-00A07_S64HNN0XA20382"; 12 | 13 | system.stateVersion = "24.11"; 14 | 15 | simd.arch = "armv8.6-a"; 16 | 17 | security.pam.loginLimits = [ 18 | { 19 | domain = "*"; 20 | type = "soft"; 21 | item = "nofile"; 22 | value = "8192"; 23 | } 24 | ]; 25 | systemd.user.extraConfig = '' 26 | DefaultLimitNOFILE=8192 27 | ''; 28 | } 29 | -------------------------------------------------------------------------------- /terraform/repo-mirrors/repository-dispatch.tf: -------------------------------------------------------------------------------- 1 | # Create a secret to trigger repository remote dispatch: 2 | # https://github.com/TUM-DSE/nixpkgs/blob/6b6871a627869636715814ee92f9de257cbca751/.github/workflows/update-doctor-cluster-flake.yml#L14 3 | resource "github_actions_secret" "github-token" { 4 | repository = "nixpkgs" 5 | secret_name = "ACCESS_TOKEN" 6 | plaintext_value = data.sops_file.secrets.data["doctor-cluster-bot-token"] 7 | } 8 | 9 | resource "github_actions_secret" "github-token2" { 10 | repository = "doctor-cluster-config" 11 | secret_name = "ACCESS_TOKEN" 12 | plaintext_value = data.sops_file.secrets.data["doctor-cluster-bot-token"] 13 | } 14 | -------------------------------------------------------------------------------- /modules/buildbot/reverse-proxy.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ ./hostfile.nix ]; 3 | services.nginx.virtualHosts."buildbot.dse.in.tum.de" = { 4 | forceSSL = true; 5 | enableACME = true; 6 | 7 | locations."/".proxyPass = "http://buildbot-master/"; 8 | locations."/sse" = { 9 | proxyPass = "http://buildbot-master/sse/"; 10 | # proxy buffering will prevent sse to work 11 | extraConfig = "proxy_buffering off;"; 12 | }; 13 | locations."/ws" = { 14 | proxyPass = "http://buildbot-master/ws"; 15 | proxyWebsockets = true; 16 | # raise the proxy timeout for the websocket 17 | extraConfig = "proxy_read_timeout 6000s;"; 18 | }; 19 | }; 20 | } 21 | -------------------------------------------------------------------------------- /pkgs/intel-fpgas/opencl-drivers/default.nix: -------------------------------------------------------------------------------- 1 | { stdenv }: 2 | # source: https://www.intel.com/content/www/us/en/software-kit/660540/intel-fpga-sdk-for-opencl-pro-edition-software-version-20-2.html 3 | # in Linux BSP: test/board/s10_ref/linux64/libexec/install (the `aocl install` command) installs this udev rule 4 | stdenv.mkDerivation { 5 | name = "intel-opencl-driver"; 6 | src = ./.; 7 | installPhase = '' 8 | mkdir -p $out/lib/udev/rules.d/ 9 | cp -v *.rules $out/lib/udev/rules.d/ 10 | 11 | # This is a false-positive in the udev nixos build script but we fix it 12 | # anyway. 13 | sed -i -e 's!/sbin/udevcontrol!udevcontrol!' $out/lib/udev/rules.d/*.rules 14 | ''; 15 | } 16 | -------------------------------------------------------------------------------- /hosts/vislor.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ../modules/hardware/poweredge7625.nix 4 | ../modules/nfs/client.nix 5 | ../modules/amd_sev_snp-vanilla.nix 6 | ]; 7 | 8 | disko.rootDisk = "/dev/disk/by-id/nvme-SAMSUNG_MZQL23T8HCLS-00A07_S64HNS0W800676"; 9 | 10 | networking.hostName = "vislor"; 11 | # not in nixpkgs yet 12 | simd.arch = "znver4"; 13 | 14 | system.stateVersion = "23.05"; 15 | 16 | networking.doctor-bridge.enable = true; 17 | 18 | boot.kernelParams = [ 19 | "nvme.poll_queues=4" 20 | "nvme_core.multipath=N" 21 | "amd_iommu=on" 22 | ]; 23 | 24 | # Enable SR-IOV driver for Intel NIC 25 | boot.kernelModules = [ 26 | "iavf" 27 | ]; 28 | 29 | } 30 | -------------------------------------------------------------------------------- /modules/register-flake.nix: -------------------------------------------------------------------------------- 1 | { 2 | self, 3 | inputs, 4 | config, 5 | ... 6 | }: 7 | { 8 | srvos.flake = self; 9 | srvos.registerSelf = true; 10 | # Nice for kernel hacking: https://blog.thalheim.io/2022/12/17/hacking-on-kernel-modules-in-nixos/ 11 | # nix develop "$(realpath /run/booted-system/flake)#nixosConfigurations.$(hostname).config.boot.kernelPackages.kernel" 12 | system.extraSystemBuilderCmds = '' 13 | ln -s ${self} $out/flake 14 | ''; 15 | 16 | nix.registry = { 17 | home-manager.flake = inputs.home-manager; 18 | nixpkgs.flake = inputs.nixpkgs; 19 | }; 20 | 21 | nix.nixPath = builtins.map (name: "${name}=flake:${name}") (builtins.attrNames config.nix.registry); 22 | } 23 | -------------------------------------------------------------------------------- /terraform/github-permissions/README.md: -------------------------------------------------------------------------------- 1 | # Set github access permissions with groups 2 | 3 | Creates and manages github groups to assign a group of users access to only some repos of an organization. 4 | For example, to give personal github accounts of sys-prog tutors access to the sys-prog-tytors group. 5 | 6 | ## Prerequisites 7 | 8 | - terraform installed (+ github and sops plugin) 9 | - sops installed 10 | - sops decryption key configured in `sops.yaml.nix` for the `admin` group or `terraform/secrets.enc.json` 11 | - create a `.envrc.local` file as described [here](../README.md) 12 | 13 | 14 | ## Apply terraform 15 | 16 | ```console 17 | git pull 18 | cd terraform/github-permissions 19 | ./apply.sh 20 | ``` 21 | -------------------------------------------------------------------------------- /modules/swiss-knife/default.nix: -------------------------------------------------------------------------------- 1 | { lib, pkgs, ... }: 2 | { 3 | imports = [ 4 | ./users.nix 5 | ./network.nix 6 | ./storage.nix 7 | ]; 8 | 9 | # Students are not careful exposing ports with containers 10 | networking.firewall.enable = lib.mkForce true; 11 | 12 | # isolates better than docker 13 | virtualisation.podman.enable = true; 14 | 15 | # needed for the container task 16 | environment.systemPackages = [ pkgs.docker-compose ]; 17 | 18 | # Do not do collide with the TUM vpn 19 | environment.etc."docker/daemon.json".text = builtins.toJSON { 20 | default-address-pools = [ 21 | { 22 | base = "192.168.0.0/16"; 23 | size = 24; 24 | } 25 | ]; 26 | }; 27 | } 28 | -------------------------------------------------------------------------------- /pkgs/kernels/linux-ioregionfd-5.15.nix: -------------------------------------------------------------------------------- 1 | { buildLinux, fetchFromGitHub, ... }@args: 2 | 3 | buildLinux (args // rec { 4 | version = "5.15"; 5 | modDirVersion = "5.15.84"; 6 | src = fetchFromGitHub { 7 | owner = "gierens"; 8 | repo = "linux"; 9 | rev = "669ce309ca5572e66ab5a2df30207c7a48cc75f3"; # branch v5.15.84-ioregionfd 10 | sha256 = "sha256-HrfndxdkIto6NrYKcX0oI4XQvHO5axsrWrV15UYm2ho="; 11 | }; 12 | 13 | kernelPatches = [{ 14 | name = "enable-kvm-ioregion"; 15 | patch = null; 16 | extraConfig = '' 17 | KVM_IOREGION y 18 | ''; 19 | }]; # ++ linuxPackages_5_15.kernel.kernelPatches; 20 | extraMeta.branch = "5.15"; 21 | ignoreConfigErrors = true; 22 | } // (args.argsOverride or { })) 23 | -------------------------------------------------------------------------------- /modules/netboot/netboot-pixie-core.nix: -------------------------------------------------------------------------------- 1 | { pkgs, netboot }: 2 | # 1. Connect this device directly to the server. On nixos you can use 3 | # github.com/Mic92/dotfiles/nixos/modules/dnsmasq.nix and follow its 4 | # instructions. 5 | # 2. Run the netboot server 6 | # $ nix run '.#netboot-pixie-core' 7 | pkgs.writeShellScriptBin "netboot-pixie-core" '' 8 | set -euo pipefail -x 9 | cmdline=$(${pkgs.gnugrep}/bin/grep -ohP 'init=.+' ${netboot}/netboot.ipxe) 10 | cmdline=$(echo "''${cmdline//initrd=initrd /}" ) 11 | # needs root for RAW_SOCKETS 12 | sudo ${pkgs.pixiecore}/bin/pixiecore \ 13 | boot ${netboot}/bzImage ${netboot}/initrd \ 14 | --cmdline "$cmdline" \ 15 | --debug --dhcp-no-bind --port 64172 --status-port 64172 16 | '' 17 | -------------------------------------------------------------------------------- /pkgs/linux-sgx-driver/default.nix: -------------------------------------------------------------------------------- 1 | { kernel 2 | , stdenv 3 | , fetchFromGitHub 4 | , perl 5 | }: 6 | let 7 | kdir = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"; 8 | in 9 | stdenv.mkDerivation rec { 10 | pname = "linux-sgx-driver"; 11 | version = "2.11"; 12 | 13 | src = fetchFromGitHub { 14 | owner = "intel"; 15 | repo = "linux-sgx-driver"; 16 | rev = "sgx_driver_${version}"; 17 | sha256 = "sha256-zZ0FgCx63LCNmvQ909O27v/o4+93gefhgEE/oDr/bHw="; 18 | }; 19 | 20 | makeFlags = [ 21 | "KDIR=${kdir}" 22 | ]; 23 | 24 | nativeBuildInputs = [ perl ] ++ kernel.moduleBuildDependencies; 25 | 26 | installPhase = '' 27 | make INSTALL_MOD_PATH=$out -C ${kdir} M=$(pwd) modules_install 28 | ''; 29 | } 30 | -------------------------------------------------------------------------------- /terraform/github-permissions/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | github = { 4 | source = "integrations/github" 5 | } 6 | sops = { 7 | source = "carlpett/sops" 8 | } 9 | } 10 | } 11 | 12 | provider "github" { 13 | alias = "TUM-DSE" 14 | owner = "TUM-DSE" 15 | } 16 | 17 | provider "github" { 18 | alias = "ls1-courses" 19 | owner = "ls1-courses" 20 | } 21 | 22 | provider "github" { 23 | alias = "ls1-cloud-lab-course" 24 | owner = "ls1-cloud-lab-course" 25 | } 26 | 27 | provider "github" { 28 | alias = "ls1-sys-prog-course" 29 | owner = "ls1-sys-prog-course" 30 | } 31 | 32 | provider "github" { 33 | alias = "ls1-adv-sys-prog-course" 34 | owner = "ls1-adv-sys-prog-course" 35 | } 36 | -------------------------------------------------------------------------------- /.github/workflows/check-expired-students.yml: -------------------------------------------------------------------------------- 1 | name: "Check for expired student accounts" 2 | on: 3 | schedule: 4 | # Run daily at 9 AM UTC 5 | - cron: "0 9 * * *" 6 | workflow_dispatch: 7 | 8 | permissions: 9 | issues: write 10 | contents: read 11 | 12 | jobs: 13 | check-expired-students: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: actions/checkout@v6 17 | 18 | - name: Install Nix 19 | uses: cachix/install-nix-action@v31 20 | 21 | - name: Create issues for expired accounts 22 | env: 23 | GH_TOKEN: ${{ github.token }} 24 | run: | 25 | # Enter devshell and run the issue creation command 26 | nix develop -c inv expired-accounts-create-issues 27 | -------------------------------------------------------------------------------- /modules/qemu-bridge.nix: -------------------------------------------------------------------------------- 1 | { 2 | pkgs, 3 | lib, 4 | config, 5 | ... 6 | }: 7 | { 8 | 9 | # Allow qemu to access bridges 10 | environment.etc."qemu/bridge.conf" = { 11 | user = "root"; 12 | group = "qemu"; 13 | mode = "640"; 14 | text = "allow all"; 15 | }; 16 | 17 | security.wrappers.qemu-bridge-helper = lib.mkIf (!config.virtualisation.libvirtd.enable) { 18 | setuid = true; 19 | owner = "root"; 20 | group = "root"; 21 | source = "${pkgs.qemu_kvm}/libexec/qemu-bridge-helper"; 22 | }; 23 | 24 | # Don't manage tap devices with systemd-networkd 25 | systemd.network.networks."06-tap".extraConfig = '' 26 | [Match] 27 | Name = tap* 28 | 29 | [Link] 30 | Unmanaged = yes 31 | ''; 32 | } 33 | -------------------------------------------------------------------------------- /modules/xrdp.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | networking.firewall.allowedTCPPorts = [ 3389 ]; 4 | services.xrdp.enable = true; 5 | # FIXME: this is actually ignored with the latest xrdp 6 | services.xrdp.defaultWindowManager = "${pkgs.xfce.xfce4-session}/bin/xfce4-session"; 7 | 8 | services.xserver = { 9 | enable = true; 10 | desktopManager.xfce.enable = true; 11 | xkb.layout = "us"; 12 | xkb.variant = "altgr-intl"; 13 | }; 14 | fonts.fontconfig.enable = true; 15 | fonts.enableDefaultPackages = true; 16 | 17 | environment.etc."xrdp/startwm.sh" = { 18 | text = '' 19 | ${pkgs.runtimeShell} 20 | . /etc/profile 21 | ${pkgs.xfce.xfce4-session}/bin/xfce4-session 22 | ''; 23 | mode = "755"; 24 | }; 25 | } 26 | -------------------------------------------------------------------------------- /modules/docker.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | pkgs, 4 | config, 5 | ... 6 | }: 7 | let 8 | useOverlayStorageDriver = pkgs.hostPlatform.isRiscV || config.networking.hostName == "ace"; 9 | in 10 | { 11 | # For docker 12 | boot.kernel.sysctl."net.ipv4.ip_forward" = 1; 13 | boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; 14 | 15 | virtualisation.docker = { 16 | enable = true; 17 | enableOnBoot = true; 18 | storageDriver = if useOverlayStorageDriver then "overlay2" else "zfs"; 19 | extraOptions = "--userland-proxy=false --ip-masq=true ${ 20 | lib.optionalString (!useOverlayStorageDriver) "--storage-opt=zfs.fsname=zroot/docker" 21 | }"; 22 | 23 | # not compatible with docker swarm 24 | liveRestore = false; 25 | }; 26 | } 27 | -------------------------------------------------------------------------------- /hosts/joy.nix: -------------------------------------------------------------------------------- 1 | { 2 | inputs, 3 | lib, 4 | ... 5 | }: 6 | { 7 | imports = [ 8 | ../modules/disko-ext4.nix 9 | ../modules/facter.nix 10 | ../modules/xrdp.nix 11 | ../modules/nfs/client.nix 12 | ../modules/nvidia-orin-agx.nix 13 | ../modules/nvidia-jetson-passthru/default.nix 14 | # Docker doesn't work with nvidia passthru: https://github.com/TUM-DSE/jetpack-nixos?tab=readme-ov-file#oci-container-support 15 | inputs.jetpack-nixos.nixosModules.default 16 | ]; 17 | 18 | disko.rootDisk = "/dev/disk/by-id/nvme-Samsung_SSD_980_PRO_2TB_S736NL0X909257H"; 19 | 20 | # for installation 21 | boot.loader.efi.canTouchEfiVariables = lib.mkForce true; 22 | 23 | networking.hostName = "joy"; 24 | 25 | system.stateVersion = "24.11"; 26 | } 27 | -------------------------------------------------------------------------------- /docs/WIKIS.md: -------------------------------------------------------------------------------- 1 | # Metawiki 2 | 3 | This is a list of wiki and doc pages 4 | 5 | # Wikis 6 | 7 | - doctor-cluster repo :) 8 | - https://wiki.in.tum.de/Informatik/Benutzerwiki/WebHome: Infrastructure and Services provided by RBG 9 | - https://wiki.tum.de/: Tum confluence 10 | - https://tutorbetrieb.in.tum.de/faq 11 | - https://docmatching.in.tum.de/ 12 | 13 | Shared emails/lists: 14 | 15 | - https://lists.lrz.de/: mailman, only `@lists.lrz.de`, has all the settings 16 | - https://wiki.tum.de/display/docs/3.1.2%29+Shared+Mailbox MSexchange `@xcit.tum.de`: Configured with campusonline Funktionsobjekt Verwalter permission 17 | - https://wiki.in.tum.de/Informatik/Helpdesk/Sharedfolder `@cit.tum.de` 18 | 19 | Student oriented: 20 | 21 | - https://tum.sexy/: all links for all the lectures 22 | -------------------------------------------------------------------------------- /modules/amd_sev_snp-6.8.nix: -------------------------------------------------------------------------------- 1 | { pkgs, lib, ... }: 2 | let 3 | linux = pkgs.callPackage ../pkgs/kernels/linux-sev-snp-6.8.nix { }; 4 | linuxPackages = pkgs.recurseIntoAttrs (pkgs.linuxPackagesFor linux); 5 | in 6 | { 7 | # Configuration for AMD SEV-SNP with AMD versions' kernel 8 | 9 | boot.kernelPackages = lib.mkForce linuxPackages; 10 | boot.zfs.package = pkgs.zfsUnstable; # needed for 6.9 11 | 12 | boot.kernelParams = [ 13 | #"mem_encrypt=on" 14 | "kvm_amd.sev=1" 15 | "kvm_amd.sev_es=1" 16 | "kvm_amd.sev_snp=1" 17 | #"kvm.mmio_caching=on" 18 | "sp5100_tco.blacklist=yes" 19 | 20 | # this parameter exists on 6.9- 21 | "kvm.gmem_2m_enabled=1" 22 | ]; 23 | 24 | # enable libvirtd service 25 | virtualisation.libvirtd.enable = true; 26 | } 27 | -------------------------------------------------------------------------------- /modules/linux-uintr.nix: -------------------------------------------------------------------------------- 1 | { pkgs, lib, ... }: 2 | let 3 | linux_uintr = pkgs.callPackage ../pkgs/kernels/linux-uintr.nix { }; 4 | linuxPackages_uintr = pkgs.recurseIntoAttrs (pkgs.linuxPackagesFor linux_uintr); 5 | in 6 | { 7 | boot.kernelPackages = lib.mkForce linuxPackages_uintr; 8 | boot.kernelParams = ["isolcpus=0,2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,46,48,50,52,54,56,58,60,62,64,66,68,70,72,74,76,78,80,82,84,86,88,90,92,94,96,98,100,102,104,106,108,110,112,114,116,118,120,122,124,126" "nohz_full=0,2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,46,48,50,52,54,56,58,60,62,64,66,68,70,72,74,76,78,80,82,84,86,88,90,92,94,96,98,100,102,104,106,108,110,112,114,116,118,120,122,124,126" "intel_iommu=off" "nopat" "watchdog_thresh=0"]; 9 | } 10 | -------------------------------------------------------------------------------- /modules/apple-silicon-support/packages/alsa-ucm-conf-asahi/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | fetchFromGitHub, 4 | alsa-ucm-conf, 5 | }: 6 | 7 | (alsa-ucm-conf.overrideAttrs ( 8 | oldAttrs: 9 | let 10 | versionAsahi = "5"; 11 | 12 | srcAsahi = fetchFromGitHub { 13 | # tracking: https://src.fedoraproject.org/rpms/alsa-ucm-asahi 14 | owner = "AsahiLinux"; 15 | repo = "alsa-ucm-conf-asahi"; 16 | rev = "v${versionAsahi}"; 17 | hash = "sha256-daUNz5oUrPfSMO0Tqq/WbtiLHMOtPeQQlI+juGrhTxw="; 18 | }; 19 | in 20 | { 21 | name = "${oldAttrs.pname}-${oldAttrs.version}-asahi-${versionAsahi}"; 22 | 23 | postInstall = 24 | oldAttrs.postInstall or "" 25 | + '' 26 | cp -r ${srcAsahi}/ucm2 $out/share/alsa 27 | ''; 28 | } 29 | )) 30 | -------------------------------------------------------------------------------- /pkgs/kata-runtime/default.nix: -------------------------------------------------------------------------------- 1 | { stdenv, lib, fetchzip, openssl, zlib, zstd, autoPatchelfHook }: 2 | let version = "3.23.0"; 3 | in stdenv.mkDerivation rec { 4 | pname = "kata"; 5 | inherit version; 6 | 7 | src = fetchzip { 8 | name = "kata-images-${version}"; 9 | url = 10 | "https://github.com/kata-containers/kata-containers/releases/download/${version}/kata-static-${version}-amd64.tar.zst"; 11 | hash = "sha256-h7+VXUq1leCIJEqTbDxr1qw1U7XFpiwjC7/sFHd3qFY="; 12 | nativeBuildInputs = [ zstd ]; 13 | }; 14 | 15 | nativeBuildInputs = [ autoPatchelfHook ]; 16 | 17 | buildInputs = [ openssl zlib ]; 18 | 19 | sourceRoot = "."; 20 | 21 | installPhase = '' 22 | runHook preInstall 23 | cp -r $src/kata $out 24 | runHook postInstall 25 | ''; 26 | 27 | } 28 | -------------------------------------------------------------------------------- /modules/amd_sev_snp.nix: -------------------------------------------------------------------------------- 1 | { pkgs, lib, ... }: 2 | let 3 | linux = pkgs.callPackage ../pkgs/kernels/linux-sev-snp.nix { }; 4 | linuxPackages = pkgs.recurseIntoAttrs (pkgs.linuxPackagesFor linux); 5 | in 6 | { 7 | # Configuration for AMD SEV-SNP with AMD versions' kernel 8 | 9 | boot.kernelPackages = lib.mkForce linuxPackages; 10 | boot.zfs.package = pkgs.zfsUnstable; # needed for 6.9 11 | 12 | boot.kernelParams = [ 13 | #"mem_encrypt=on" 14 | "amd_iommu=off" 15 | "kvm_amd.sev=1" 16 | "kvm_amd.sev_es=1" 17 | "kvm_amd.sev_snp=1" 18 | #"kvm.mmio_caching=on" 19 | "sp5100_tco.blacklist=yes" 20 | 21 | # this parameter exists on 6.9- 22 | "kvm.gmem_2m_enabled=1" 23 | ]; 24 | 25 | # enable libvirtd service 26 | virtualisation.libvirtd.enable = true; 27 | } 28 | -------------------------------------------------------------------------------- /pkgs/xilinx/xntools-core.nix: -------------------------------------------------------------------------------- 1 | { stdenv, lib, fetchurl, dpkg, autoPatchelfHook }: 2 | stdenv.mkDerivation rec { 3 | pname = "xntools-core"; 4 | version = "1.0.0.0-2"; 5 | src = fetchurl { 6 | url = "https://archive.org/download/firmware-sn1000_1.1.1.1021-1_all/xntools-core_${version}_amd64.deb"; 7 | hash = "sha256-wavu6XYTV8XiaoQT1qDwFEa76Es0hBegfhZFnTG/+NY="; 8 | }; 9 | nativeBuildInputs = [ dpkg autoPatchelfHook ]; 10 | unpackPhase = '' 11 | mkdir xntools 12 | dpkg-deb -x $src xntools 13 | cd xntools 14 | chmod -R +w . 15 | ''; 16 | 17 | installPhase = '' 18 | mkdir -p $out/bin 19 | cp usr/bin/* $out/bin 20 | ''; 21 | 22 | meta = with lib; { 23 | description = "SmartNIC utilities package"; 24 | platforms = [ "x86_64-linux" ]; 25 | }; 26 | } 27 | -------------------------------------------------------------------------------- /modules/apple-silicon-support/packages/mesa-asahi-edge/vendor/darwin.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/glx/glxext.c b/src/glx/glxext.c 2 | index 8770863eb7c..537f0af112c 100644 3 | --- a/src/glx/glxext.c 4 | +++ b/src/glx/glxext.c 5 | @@ -886,10 +886,11 @@ __glXInitialize(Display * dpy) 6 | Bool zink = False; 7 | Bool try_zink = False; 8 | 9 | + const char *env = getenv("MESA_LOADER_DRIVER_OVERRIDE"); 10 | + 11 | #if defined(GLX_DIRECT_RENDERING) && (!defined(GLX_USE_APPLEGL) || defined(GLX_USE_APPLE)) 12 | Bool glx_direct = !debug_get_bool_option("LIBGL_ALWAYS_INDIRECT", false); 13 | Bool glx_accel = !debug_get_bool_option("LIBGL_ALWAYS_SOFTWARE", false); 14 | - const char *env = getenv("MESA_LOADER_DRIVER_OVERRIDE"); 15 | 16 | zink = env && !strcmp(env, "zink"); 17 | try_zink = False; 18 | -------------------------------------------------------------------------------- /pkgs/musl-morello-purecap/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | stdenv, 3 | llvm-morello-purecap, 4 | fetchgit, 5 | }: 6 | stdenv.mkDerivation { 7 | name = "musl-morello-purecap"; 8 | src = fetchgit { 9 | url = "https://git.morello-project.org/morello/musl-libc.git"; 10 | rev = "e379080e966573c79096f80d89e5b42f469ac8d1"; 11 | sha256 = "sha256-BCF6mFWoAPIuTe4CTDp1C2zn5oLy6h4haOA5ZSi0F9c="; 12 | }; 13 | buildInputs = [ 14 | llvm-morello-purecap 15 | ]; 16 | configurePhase = '' 17 | CC=${llvm-morello-purecap}/bin/clang ./configure --disable-shared --enable-morello --enable-wrapper=clang --prefix=$out --target=aarch64-linux-musl_purecap 18 | ''; 19 | 20 | patchPhase = ""; 21 | 22 | meta = { 23 | description = "Morello musl libc"; 24 | platforms = [ "aarch64-linux" ]; 25 | }; 26 | } 27 | -------------------------------------------------------------------------------- /modules/hardware/supermicro-x12spw-tf-disko.nix: -------------------------------------------------------------------------------- 1 | # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 | # and may be overwritten by future invocations. Please make changes 3 | # to /etc/nixos/configuration.nix instead. 4 | { 5 | config, 6 | lib, 7 | modulesPath, 8 | ... 9 | }: 10 | 11 | { 12 | imports = [ 13 | (modulesPath + "/installer/scan/not-detected.nix") 14 | ../ipmi-supermicro.nix 15 | ]; 16 | 17 | boot.initrd.availableKernelModules = [ 18 | "ahci" 19 | "xhci_pci" 20 | "megaraid_sas" 21 | "usbhid" 22 | "sd_mod" 23 | ]; 24 | boot.initrd.kernelModules = [ ]; 25 | boot.kernelModules = [ "kvm-intel" ]; 26 | boot.extraModulePackages = [ ]; 27 | 28 | hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 29 | } 30 | -------------------------------------------------------------------------------- /modules/hardware/supermicro-AS-4124GS.nix: -------------------------------------------------------------------------------- 1 | # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 | # and may be overwritten by future invocations. Please make changes 3 | # to /etc/nixos/configuration.nix instead. 4 | { 5 | config, 6 | lib, 7 | modulesPath, 8 | ... 9 | }: 10 | 11 | { 12 | imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; 13 | 14 | boot.initrd.availableKernelModules = [ 15 | "xhci_pci" 16 | "nvme" 17 | "ahci" 18 | "usbhid" 19 | ]; 20 | boot.initrd.kernelModules = [ ]; 21 | boot.kernelModules = [ "kvm-amd" ]; 22 | boot.extraModulePackages = [ ]; 23 | 24 | swapDevices = [ ]; 25 | 26 | nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 27 | hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 28 | } 29 | -------------------------------------------------------------------------------- /pkgs/kernels/linux-ioregionfd-5.19.nix: -------------------------------------------------------------------------------- 1 | { buildLinux, fetchFromGitHub, modDirVersionArg ? null, ... }@args: 2 | 3 | buildLinux (args // rec { 4 | version = "5.19"; 5 | modDirVersion = 6 | if (modDirVersionArg == null) then 7 | builtins.replaceStrings [ "-" ] [ ".0-" ] version 8 | else 9 | modDirVersionArg; 10 | src = fetchFromGitHub { 11 | owner = "Mic92"; 12 | repo = "linux"; 13 | rev = "6327be32a74aed0139a1895329ce4fea2ec65745"; # branch ioregion-5.19 14 | sha256 = ""; 15 | }; 16 | 17 | kernelPatches = [{ 18 | name = "enable-kvm-ioregion"; 19 | patch = null; 20 | extraConfig = '' 21 | KVM_IOREGION y 22 | ''; 23 | }]; # ++ linuxPackages_5_19.kernel.kernelPatches; 24 | extraMeta.branch = "5.19"; 25 | ignoreConfigErrors = true; 26 | } // (args.argsOverride or { })) 27 | -------------------------------------------------------------------------------- /modules/apple-silicon-support/packages/bankstown-lv2/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | lv2, 4 | pkg-config, 5 | rustPlatform, 6 | fetchFromGitHub, 7 | fetchpatch, 8 | }: 9 | 10 | rustPlatform.buildRustPackage rec { 11 | pname = "bankstown-lv2"; 12 | # tracking: https://src.fedoraproject.org/rpms/rust-bankstown-lv2 13 | version = "1.1.0"; 14 | 15 | src = fetchFromGitHub { 16 | owner = "chadmed"; 17 | repo = "bankstown"; 18 | rev = version; 19 | hash = "sha256-IThXEY+mvT2MCw0PSWU/182xbUafd6dtm6hNjieLlKg="; 20 | }; 21 | 22 | cargoSha256 = "sha256-yRzM4tcYc6mweTpLnnlCeKgP00L2wRgHamtUzK9Kstc="; 23 | 24 | installPhase = '' 25 | export LIBDIR=$out/lib 26 | mkdir -p $LIBDIR 27 | 28 | make 29 | make install 30 | ''; 31 | 32 | nativeBuildInputs = [ pkg-config ]; 33 | 34 | buildInputs = [ lv2 ]; 35 | } 36 | -------------------------------------------------------------------------------- /hosts/martha.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ../modules/hardware/poweredge-r770.nix 4 | ../modules/nfs/client.nix 5 | ../modules/disko-zfs.nix 6 | ../modules/intel_tdx.nix 7 | 8 | ../modules/vfio/iommu-intel.nix 9 | ../modules/dpdk.nix 10 | # ../modules/zokelmannvms.nix # ZFS pool import fails currently 11 | ]; 12 | 13 | networking.hostName = "martha"; 14 | 15 | simd.arch = "sierraforest"; 16 | 17 | # Configuration for zokelmannvms module (when enabled) 18 | # services.zokelmannvms.partitionUuid = "8523992b-aa9b-4d77-b23b-4ab0b20f0de4"; 19 | 20 | disko.rootDisk = "/dev/disk/by-id/nvme-SAMSUNG_MZQL23T8HCLS-00A07_S64HNJ0X815781"; 21 | 22 | system.stateVersion = "24.11"; 23 | 24 | boot.hugepages1GB.number = 0; 25 | boot.hugepages2MB.number = 26 | let 27 | gb = 600; 28 | in 29 | gb * 1024 / 2; 30 | } 31 | -------------------------------------------------------------------------------- /pkgs/graphene-sgx-driver/default.nix: -------------------------------------------------------------------------------- 1 | { kernel 2 | , stdenv 3 | , fetchFromGitHub 4 | , python3 5 | , isgx 6 | }: 7 | let 8 | kdir = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"; 9 | in 10 | stdenv.mkDerivation rec { 11 | name = "graphene-sgx-driver"; 12 | src = fetchFromGitHub { 13 | owner = "oscarlab"; 14 | repo = "graphene-sgx-driver"; 15 | rev = "4386dbeb1260d8743ea3a5fbe4fc5fd61322008c"; 16 | sha256 = "sha256-bhNtYFXQlJjm73n+De3hoT5Svvyb2r1E6KfmdNMV8Es="; 17 | }; 18 | 19 | ISGX_DRIVER_PATH = isgx.src; 20 | 21 | makeFlags = [ 22 | "KDIR=${kdir}" 23 | ]; 24 | 25 | postPatch = '' 26 | patchShebangs . 27 | ''; 28 | 29 | nativeBuildInputs = [ python3 ] ++ kernel.moduleBuildDependencies; 30 | 31 | installPhase = '' 32 | make INSTALL_MOD_PATH=$out -C ${kdir} M=$(pwd) modules_install 33 | ''; 34 | } 35 | -------------------------------------------------------------------------------- /pkgs/install-iso/nix-settings.nix: -------------------------------------------------------------------------------- 1 | # take from srvos 2 | { lib, ... }: 3 | { 4 | # Fallback quickly if substituters are not available. 5 | nix.settings.connect-timeout = 5; 6 | 7 | # Enable flakes 8 | nix.settings.experimental-features = [ 9 | "nix-command" 10 | "flakes" 11 | ]; 12 | 13 | # The default at 10 is rarely enough. 14 | nix.settings.log-lines = lib.mkDefault 25; 15 | 16 | # Avoid disk full issues 17 | nix.settings.max-free = lib.mkDefault (3000 * 1024 * 1024); 18 | nix.settings.min-free = lib.mkDefault (512 * 1024 * 1024); 19 | 20 | # TODO: cargo culted. 21 | nix.daemonCPUSchedPolicy = lib.mkDefault "batch"; 22 | nix.daemonIOSchedClass = lib.mkDefault "idle"; 23 | nix.daemonIOSchedPriority = lib.mkDefault 7; 24 | 25 | # Avoid copying unnecessary stuff over SSH 26 | nix.settings.builders-use-substitutes = true; 27 | } 28 | -------------------------------------------------------------------------------- /modules/hardware/supermicro-AS-2015CS.nix: -------------------------------------------------------------------------------- 1 | # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 | # and may be overwritten by future invocations. Please make changes 3 | # to /etc/nixos/configuration.nix instead. 4 | { 5 | config, 6 | lib, 7 | modulesPath, 8 | ... 9 | }: 10 | 11 | { 12 | imports = [ 13 | (modulesPath + "/installer/scan/not-detected.nix") 14 | ../disko-zfs.nix 15 | ]; 16 | 17 | boot.initrd.availableKernelModules = [ 18 | "xhci_pci" 19 | "nvme" 20 | "ahci" 21 | "usbhid" 22 | ]; 23 | boot.initrd.kernelModules = [ ]; 24 | boot.kernelModules = [ "kvm-amd" ]; 25 | boot.extraModulePackages = [ ]; 26 | 27 | swapDevices = [ ]; 28 | 29 | nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 30 | hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 31 | } 32 | -------------------------------------------------------------------------------- /modules/nvidia-jetson-passthru/bpmp_host_overlay.dts: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022-2024 TII (SSRC) and the Ghaf contributors 3 | * SPDX-License-Identifier: CC-BY-SA-4.0 4 | */ 5 | 6 | /dts-v1/; 7 | /plugin/; 8 | 9 | #include 10 | #include 11 | 12 | / { 13 | overlay-name = "BPMP host proxy 2"; 14 | compatible = "nvidia,tegra234"; 15 | 16 | fragment@0 { 17 | target-path = "/"; 18 | __overlay__ { 19 | bpmp_host_proxy: bpmp_host_proxy { 20 | compatible = "nvidia,bpmp-host-proxy"; 21 | allowed-clocks = ; 23 | allowed-resets = ; 24 | status = "okay"; 25 | }; 26 | }; 27 | 28 | }; 29 | }; 30 | -------------------------------------------------------------------------------- /modules/sshd/ssh-ca-sign: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eu -o pipefail 4 | 5 | 6 | if [[ $# -ne 3 ]]; then 7 | echo "USAGE: $0 hostname hosts host.pub|HOST" 8 | echo "example: $0 host host.i,host.r,host.dos.cit.tum.de HOST" 9 | exit 1 10 | fi 11 | 12 | host=$1 13 | hostnames=$2 14 | ip=$3 15 | 16 | hosts=$1,$2 17 | 18 | dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) 19 | workdir=$(mktemp -d) 20 | trap "{ rm -rf "$workdir"; }" EXIT 21 | 22 | ( 23 | umask 077 24 | sops --extract '["ssh-ca"]' -d "$dir/ca-keys.yml" > "$workdir/ssh-ca" 25 | ) 26 | 27 | cd "$workdir" 28 | pubkey="${ip}.pub" 29 | ssh-keyscan -t ed25519 "$ip" | awk '{$1=""; print $0}' > "$pubkey" 30 | 31 | ssh-keygen -h -s "$workdir/ssh-ca" -n "$hosts" -I "$(basename "$pubkey" .pub)" "$pubkey" 32 | mv "${ip}-cert.pub" "${dir}/certs/$(echo "$hosts" | grep -o '^[^,]\+')-cert.pub" 33 | -------------------------------------------------------------------------------- /pkgs/kernels/linux-ioregionfd-5.14.nix: -------------------------------------------------------------------------------- 1 | { buildLinux, fetchFromGitHub, modDirVersionArg ? null, ... }@args: 2 | 3 | buildLinux (args // rec { 4 | version = "5.12.14"; 5 | modDirVersion = 6 | if (modDirVersionArg == null) then 7 | builtins.replaceStrings [ "-" ] [ ".0-" ] version 8 | else 9 | modDirVersionArg; 10 | src = fetchFromGitHub { 11 | owner = "VmuxIO"; 12 | repo = "linux"; 13 | rev = "56b6b3611b3a57940a314673e1c7aecbc07976e1"; # branch peter/5.12.14-v0 14 | sha256 = "sha256-VKtKBIbUoRGp2xJA7VQvjRGPaTaNP04vrjMXDpmOje8="; 15 | }; 16 | 17 | kernelPatches = [{ 18 | name = "enable-kvm-ioregion"; 19 | patch = null; 20 | extraConfig = '' 21 | KVM_IOREGION y 22 | ''; 23 | }]; # ++ linuxPackages_5_14.kernel.kernelPatches; 24 | extraMeta.branch = "5.14"; 25 | ignoreConfigErrors = true; 26 | } // (args.argsOverride or { })) 27 | -------------------------------------------------------------------------------- /hosts/irene.nix: -------------------------------------------------------------------------------- 1 | { pkgs, lib, ... }: 2 | { 3 | imports = [ 4 | ../modules/ipmi-supermicro.nix 5 | ../modules/hardware/supermicro-AS-2015CS.nix 6 | ../modules/nfs/client.nix 7 | ../modules/vfio/iommu-amd.nix 8 | ../modules/dpdk.nix 9 | ../modules/elasticsearch.nix 10 | ../modules/amd_sev_snp-vanilla.nix 11 | ]; 12 | 13 | networking.hostName = "irene"; 14 | # Use the Samsung SSD for the system 15 | disko.rootDisk = "/dev/disk/by-id/nvme-SAMSUNG_MZQL23T8HCLS-00A07_S64HNE0T804198"; 16 | # Use the PCI 5.0 SSD for the experiments. This lines binds it automatically to vfio 17 | #virtualisation.vfio.devices = [ "1e0f:0013" ]; 18 | boot.kernel.sysctl = { 19 | "vm.overcommit_memory" = 1; 20 | }; 21 | powerManagement.cpuFreqGovernor = "performance"; 22 | 23 | system.stateVersion = "22.11"; 24 | simd.arch = "znver4"; 25 | services.envfs.enable = true; 26 | } 27 | -------------------------------------------------------------------------------- /modules/hardware/poweredge-r760.nix: -------------------------------------------------------------------------------- 1 | # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 | # and may be overwritten by future invocations. Please make changes 3 | # to /etc/nixos/configuration.nix instead. 4 | { 5 | config, 6 | lib, 7 | pkgs, 8 | modulesPath, 9 | ... 10 | }: 11 | 12 | { 13 | imports = [ 14 | (modulesPath + "/installer/scan/not-detected.nix") 15 | ../disko-zfs.nix 16 | ]; 17 | 18 | boot.initrd.availableKernelModules = [ 19 | "xhci_pci" 20 | "ahci" 21 | "mpi3mr" 22 | "nvme" 23 | "usbhid" 24 | ]; 25 | boot.initrd.kernelModules = [ ]; 26 | boot.kernelModules = [ "kvm-intel" ]; 27 | boot.extraModulePackages = [ ]; 28 | 29 | swapDevices = [ ]; 30 | 31 | nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 32 | hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 33 | } 34 | -------------------------------------------------------------------------------- /modules/hardware/poweredge-r770.nix: -------------------------------------------------------------------------------- 1 | # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 | # and may be overwritten by future invocations. Please make changes 3 | # to /etc/nixos/configuration.nix instead. 4 | { 5 | config, 6 | lib, 7 | pkgs, 8 | modulesPath, 9 | ... 10 | }: 11 | 12 | { 13 | imports = [ 14 | (modulesPath + "/installer/scan/not-detected.nix") 15 | ../disko-zfs.nix 16 | ]; 17 | 18 | boot.initrd.availableKernelModules = [ 19 | "xhci_pci" 20 | "ahci" 21 | "mpi3mr" 22 | "nvme" 23 | "usbhid" 24 | ]; 25 | boot.initrd.kernelModules = [ ]; 26 | boot.kernelModules = [ "kvm-intel" ]; 27 | boot.extraModulePackages = [ ]; 28 | 29 | swapDevices = [ ]; 30 | 31 | nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 32 | hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 33 | } 34 | -------------------------------------------------------------------------------- /modules/jumphost/sshd_config: -------------------------------------------------------------------------------- 1 | # This section is maintained by: https://github.com/TUM-DSE/doctor-cluster-config/tree/master/modules/jumphost 2 | 3 | AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys2 /etc/ssh/authorized_keys.d/%u 4 | 5 | # see https://github.com/TUM-DSE/doctor-cluster-config/blob/master/modules/sshd/certs/login-cert.pub 6 | HostCertificate /etc/ssh/login-cert.pub 7 | 8 | # Increase number of connections for deployment scripts 9 | MaxStartups 64:30:256 10 | 11 | Match User tunnel 12 | AllowTcpForwarding yes 13 | X11Forwarding no 14 | AllowAgentForwarding no 15 | PermitTunnel no 16 | PermitTTY no 17 | PasswordAuthentication no 18 | 19 | Match User deploy 20 | ForceCommand sudo /usr/local/bin/update-tunnel-keys 21 | PasswordAuthentication no 22 | PermitTunnel no 23 | AllowAgentForwarding no 24 | AllowTcpForwarding no 25 | X11Forwarding no 26 | 27 | -------------------------------------------------------------------------------- /modules/coyote.nix: -------------------------------------------------------------------------------- 1 | { 2 | pkgs, 3 | config, 4 | self, 5 | lib, 6 | ... 7 | }: 8 | let 9 | packages = self.packages.${pkgs.system}; 10 | xrt-drivers = packages.xrt-drivers.override { inherit (config.boot.kernelPackages) kernel; }; 11 | in 12 | { 13 | options = { 14 | hardware.xilinx.xrt-drivers.enable = lib.mkEnableOption "Propritary kernel drivers for flashing firmware"; 15 | }; 16 | 17 | config = { 18 | environment.systemPackages = [ 19 | (packages.coyote-env.override { 20 | xilinxName = "coyote-shell"; 21 | runScript = "bash"; 22 | }) 23 | packages.xntools-core 24 | ]; 25 | 26 | services.udev.packages = [ packages.xilinx-cable-drivers ]; 27 | 28 | # 6.0+ kernel 29 | boot.extraModulePackages = lib.optional (config.hardware.xilinx.xrt-drivers.enable) xrt-drivers; 30 | 31 | # hardware.graphics.extraPackages = [ packages.xrt ]; 32 | }; 33 | } 34 | -------------------------------------------------------------------------------- /devShells/flake-module.nix: -------------------------------------------------------------------------------- 1 | { 2 | perSystem = { inputs', self', pkgs, system, ... }: { 3 | devShells.default = pkgs.mkShellNoCC { 4 | buildInputs = [ 5 | pkgs.ipmitool 6 | 7 | pkgs.nixos-rebuild 8 | pkgs.python3.pkgs.invoke 9 | pkgs.nixos-anywhere 10 | pkgs.python3.pkgs.deploykit 11 | pkgs.mypy 12 | pkgs.dnsmasq 13 | pkgs.python3.pkgs.netaddr 14 | pkgs.openssh 15 | pkgs.gitMinimal # for git flakes 16 | pkgs.rsync 17 | pkgs.nixVersions.latest 18 | pkgs.coreutils 19 | pkgs.curl # when uploading tarballs 20 | pkgs.gnugrep 21 | pkgs.findutils 22 | pkgs.gnused # needed by ssh-copy-id 23 | # sops dependencies 24 | pkgs.age 25 | pkgs.sops 26 | pkgs.yq-go 27 | pkgs.cpio 28 | ] ++ pkgs.lib.optional (pkgs.stdenv.isLinux) pkgs.mkpasswd; 29 | }; 30 | }; 31 | } 32 | -------------------------------------------------------------------------------- /hosts/dan.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ../modules/k3s/agent.nix 4 | ../modules/hardware/poweredge-r440.nix 5 | ../modules/disko-zfs.nix 6 | ../modules/disko-nfs-storage.nix 7 | ../modules/nfs/server-backup.nix 8 | ]; 9 | disko.rootDisk = "/dev/disk/by-id/nvme-Dell_Ent_NVMe_P5600_MU_U.2_1.6TB_PHAB1234003F1P9SGN"; 10 | # TODO: migrate to native mountpoints 11 | disko.zfs.legacyMounts.enable = true; 12 | 13 | disko.devices.disk.nfs-home.device = "/dev/disk/by-id/nvme-SAMSUNG_MZQL23T8HCLS-00A07_S64HNT0X115372"; 14 | disko.devices.disk.nfs-data-disk1.device = "/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X300221P"; 15 | disko.devices.disk.nfs-data-disk2.device = "/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNF0WC05521Z"; 16 | services.nfs-server.interface = "enp94s0f0np0"; 17 | 18 | networking.hostName = "dan"; 19 | 20 | simd.arch = "cascadelake"; 21 | 22 | system.stateVersion = "21.11"; 23 | } 24 | -------------------------------------------------------------------------------- /modules/hardware/poweredge7625.nix: -------------------------------------------------------------------------------- 1 | # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 | # and may be overwritten by future invocations. Please make changes 3 | # to /etc/nixos/configuration.nix instead. 4 | { 5 | config, 6 | lib, 7 | pkgs, 8 | modulesPath, 9 | ... 10 | }: 11 | 12 | { 13 | imports = [ 14 | (modulesPath + "/installer/scan/not-detected.nix") 15 | ../disko-zfs.nix 16 | ]; 17 | 18 | boot.initrd.availableKernelModules = [ 19 | "xhci_pci" 20 | "megaraid_sas" 21 | "ahci" 22 | "usbhid" 23 | "usb_storage" 24 | "sd_mod" 25 | "nvme" 26 | ]; 27 | boot.initrd.kernelModules = [ ]; 28 | boot.kernelModules = [ "kvm-amd" ]; 29 | boot.extraModulePackages = [ ]; 30 | 31 | swapDevices = [ ]; 32 | 33 | # nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 34 | hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 35 | } 36 | -------------------------------------------------------------------------------- /hosts/ruby.nix: -------------------------------------------------------------------------------- 1 | # Edit this configuration file to define what should be installed on 2 | # your system. Help is available in the configuration.nix(5) man page 3 | # and in the NixOS manual (accessible by running ‘nixos-help’). 4 | 5 | { 6 | pkgs, 7 | modulesPath, 8 | lib, 9 | ... 10 | }: 11 | 12 | { 13 | # Include the results of the hardware scan. 14 | imports = [ 15 | ../modules/nfs/client.nix 16 | ../modules/riscv-unleashed 17 | # less libraries to cross compile 18 | "${modulesPath}/profiles/minimal.nix" 19 | ]; 20 | 21 | networking.hostName = "ruby"; 22 | networking.useDHCP = false; 23 | networking.interfaces.eth0.useDHCP = true; 24 | 25 | # we cross-compile so we cannot auto upgrade 26 | system.autoUpgrade.enable = false; 27 | 28 | environment.systemPackages = with pkgs; [ 29 | vim 30 | lm_sensors 31 | ]; 32 | 33 | services.openssh.enable = true; 34 | 35 | system.stateVersion = "22.05"; 36 | } 37 | -------------------------------------------------------------------------------- /modules/amd_sev_snp-vanilla.nix: -------------------------------------------------------------------------------- 1 | { pkgs, lib, ... }: 2 | { 3 | # Use 6.16 (or newer) kernel 4 | boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; 5 | boot.zfs.package = pkgs.zfsUnstable; # needed for 6.9 6 | 7 | boot.kernelPatches = [ 8 | { 9 | name = "amd_sme-config"; 10 | patch = null; 11 | extraConfig = '' 12 | AMD_MEM_ENCRYPT y 13 | CRYPTO_DEV_CCP y 14 | CRYPTO_DEV_CCP_DD m 15 | CRYPTO_DEV_SP_PSP y 16 | KVM_AMD_SEV y 17 | VFIO_DEVICE_CDEV y 18 | ''; 19 | } 20 | ]; 21 | 22 | boot.kernelParams = [ 23 | #"mem_encrypt=on" 24 | "kvm_amd.sev=1" 25 | "kvm_amd.sev_es=1" 26 | "kvm_amd.sev_snp=1" 27 | #"kvm.mmio_caching=on" 28 | "sp5100_tco.blacklist=yes" 29 | 30 | # this parameter exists on 6.9- 31 | "kvm.gmem_2m_enabled=1" 32 | ]; 33 | 34 | # enable libvirtd service 35 | virtualisation.libvirtd.enable = true; 36 | } 37 | -------------------------------------------------------------------------------- /modules/users/devices.nix: -------------------------------------------------------------------------------- 1 | let 2 | pixel8Keys = [ 3 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOPHHU+BO8E/+Mn98QFbkbz9mYm5wNUTBYGOO8EMGg7o pixel8" 4 | ]; 5 | in 6 | { 7 | # Please use a uid in the range between 5000-6000 8 | # You can set `users.users..allowedHosts` to restrict access to certain machines. 9 | users.users = { 10 | # Pixel 8 connects to graham and sets up port forwarding to allow remote access. 11 | # The account cannot log in, just connect and setup port forwarding. This is configured in `hosts/graham.nix` 12 | pixel8 = { 13 | isNormalUser = true; 14 | shell = "/run/current-system/sw/bin/bash"; 15 | uid = 5000; 16 | allowedHosts = [ "graham" ]; 17 | openssh.authorizedKeys.keys = pixel8Keys; 18 | }; 19 | }; 20 | 21 | # DANGER ZONE! 22 | # Make sure all data is backed up before adding user names here. This will 23 | # delete all data of the associated user 24 | users.deletedUsers = [ ]; 25 | } 26 | -------------------------------------------------------------------------------- /pkgs/xilinx/firmware.nix: -------------------------------------------------------------------------------- 1 | { stdenv, fetchurl, dpkg }: 2 | # probably needs an update https://packages.xilinx.com/ui/native/debian-packages/pool/ 3 | stdenv.mkDerivation rec { 4 | pname = "xilinx-firmware"; 5 | version = "201920_3-3"; 6 | src = fetchurl { 7 | url = "https://www.xilinx.com/bin/public/openDownload?filename=xilinx-u50-gen3x16-xdma-${version}_all.deb.tar.gz"; 8 | sha256 = "sha256-yYl6/p7/mCJInlKyyn3DnHqX1qG3ar+Zk/GbpvWntAs="; 9 | }; 10 | nativeBuildInputs = [ dpkg ]; 11 | dontUnpack = true; 12 | installPhase = '' 13 | tar -vxf ${src} 14 | for p in *.deb; do 15 | dpkg-deb -x $p root 16 | done 17 | 18 | mkdir -p control $out/share/xilinx-firmware 19 | pushd control 20 | for p in ../*.deb; do 21 | name=$(basename "$p" .deb) 22 | dpkg-deb -e $p "$name" 23 | mv $name/postinst $out/share/xilinx-firmware/$name 24 | done 25 | popd 26 | 27 | cp -r root/{opt,lib} $out 28 | ''; 29 | } 30 | 31 | -------------------------------------------------------------------------------- /hosts/mickey.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ../modules/k3s/agent.nix 4 | ../modules/hardware/poweredge-r440.nix 5 | ../modules/disko-zfs.nix 6 | ../modules/disko-nfs-storage.nix 7 | ../modules/nfs/server.nix 8 | ]; 9 | 10 | disko.rootDisk = "/dev/disk/by-id/nvme-Dell_Ent_NVMe_P5600_MU_U.2_1.6TB_PHAB1233010E1P9SGN"; 11 | 12 | disko.devices.disk.nfs-home.device = "/dev/disk/by-id/nvme-SAMSUNG_MZQL23T8HCLS-00A07_S64HNT0X115369"; 13 | disko.devices.disk.nfs-data-disk1.device = "/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X300228R"; 14 | disko.devices.disk.nfs-data-disk2.device = "/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X300181Y"; 15 | 16 | services.nfs-server.interface = "enp94s0f0np0"; 17 | services.nfs-server.backupPublickey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOpFka8+cr1lvC0bzMqdqP1RRIvnD+nb3Mog56hGGkB5"; # dan 18 | 19 | networking.hostName = "mickey"; 20 | 21 | simd.arch = "cascadelake"; 22 | 23 | system.stateVersion = "21.11"; 24 | } 25 | -------------------------------------------------------------------------------- /modules/nvidia.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | { 3 | 4 | hardware.graphics = { 5 | enable = true; 6 | } 7 | // lib.optionalAttrs(pkgs.stdenv.hostPlatform.isx86_64) { 8 | enable32Bit = true; 9 | }; 10 | 11 | # Switching from datacenter driver to production driver for kernel 6.15 compatibility 12 | # The production driver (570.153.02) includes patches for kernel 6.15 support 13 | # while dc_565 (565.57.01) does not support kernels newer than 6.13 14 | hardware.nvidia.datacenter.enable = false; 15 | hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.production; 16 | hardware.nvidia.open = true; # Required for driver versions >= 560 17 | systemd.services.nvidia-fabricmanager.enable = lib.mkForce false; 18 | 19 | # Add nvidia to videoDrivers to satisfy nvidia-container-toolkit assertion 20 | services.xserver.videoDrivers = [ "nvidia" ]; 21 | 22 | virtualisation.docker.enable = true; 23 | hardware.nvidia-container-toolkit.enable = true; 24 | } 25 | -------------------------------------------------------------------------------- /modules/apple-silicon-support/packages/asahi-fwextract/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | python3, 4 | fetchFromGitHub, 5 | gzip, 6 | gnutar, 7 | lzfse, 8 | }: 9 | 10 | python3.pkgs.buildPythonApplication rec { 11 | pname = "asahi-fwextract"; 12 | version = "0.7.8"; 13 | 14 | # tracking version: https://packages.fedoraproject.org/pkgs/asahi-installer/python3-asahi_firmware/ 15 | src = fetchFromGitHub { 16 | owner = "AsahiLinux"; 17 | repo = "asahi-installer"; 18 | rev = "v${version}"; 19 | hash = "sha256-UmgHWKIRbcg9PK44YPPM4tyuEDC0+ANKO3Mzc4N9RHo="; 20 | }; 21 | 22 | postPatch = '' 23 | substituteInPlace asahi_firmware/img4.py \ 24 | --replace 'liblzfse.so' '${lzfse}/lib/liblzfse.so' 25 | substituteInPlace asahi_firmware/update.py \ 26 | --replace '"tar"' '"${gnutar}/bin/tar"' \ 27 | --replace '"xf"' '"-x", "-I", "${gzip}/bin/gzip", "-f"' 28 | ''; 29 | 30 | nativeBuildInputs = [ python3.pkgs.setuptools ]; 31 | 32 | doCheck = false; 33 | } 34 | -------------------------------------------------------------------------------- /modules/apple-silicon-support/packages/asahi-audio/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | stdenv, 3 | lib, 4 | fetchFromGitHub, 5 | }: 6 | 7 | stdenv.mkDerivation rec { 8 | pname = "asahi-audio"; 9 | # tracking: https://src.fedoraproject.org/rpms/asahi-audio 10 | version = "2.5"; 11 | 12 | src = fetchFromGitHub { 13 | owner = "AsahiLinux"; 14 | repo = "asahi-audio"; 15 | rev = "v${version}"; 16 | hash = "sha256-u+Ef2vA/EQ3b5wsCNPOGEPUk/Vah0mS71gDVhCLBq+g="; 17 | }; 18 | 19 | preBuild = '' 20 | export PREFIX=$out 21 | 22 | readarray -t configs < <(\ 23 | find . \ 24 | -name '*.conf' -or \ 25 | -name '*.json' -or \ 26 | -name '*.lua' 27 | ) 28 | 29 | substituteInPlace "''${configs[@]}" --replace \ 30 | "/usr/share/asahi-audio" \ 31 | "$out/asahi-audio" 32 | ''; 33 | 34 | postInstall = '' 35 | # no need to link the asahi-audio dir globally 36 | mv $out/share/asahi-audio $out 37 | ''; 38 | } 39 | -------------------------------------------------------------------------------- /modules/netboot/netboot.nix: -------------------------------------------------------------------------------- 1 | { 2 | pkgs, 3 | nixosSystem, 4 | extraModules ? [ ], 5 | }: 6 | let 7 | bootSystem = nixosSystem { 8 | system = pkgs.system; 9 | modules = [ 10 | ./base-config.nix 11 | ./zfs.nix 12 | ( 13 | { modulesPath, ... }: 14 | { 15 | imports = [ (modulesPath + "/installer/netboot/netboot-minimal.nix") ] ++ extraModules; 16 | 17 | # IPMI SOL console redirection stuff 18 | boot.kernelParams = [ 19 | "console=ttyS0,115200n8" 20 | "console=ttyAMA0,115200n8" 21 | "console=tty0" 22 | ]; 23 | } 24 | ) 25 | ]; 26 | }; 27 | in 28 | pkgs.symlinkJoin { 29 | name = "netboot"; 30 | paths = with bootSystem.config.system.build; [ 31 | netbootRamdisk 32 | kernel 33 | netbootIpxeScript 34 | ]; 35 | preferLocalBuild = true; 36 | } 37 | # nix build -o /tmp/pixiecore '.#netboot' 38 | # n=$(realpath /tmp/netboot) 39 | # init=$(grep -ohP 'init=\S+' $n/netboot.ipxe) 40 | -------------------------------------------------------------------------------- /modules/xilinx.nix: -------------------------------------------------------------------------------- 1 | { 2 | pkgs, 3 | config, 4 | self, 5 | lib, 6 | ... 7 | }: 8 | let 9 | packages = self.packages.${pkgs.system}; 10 | xrt-drivers = packages.xrt-drivers.override { inherit (config.boot.kernelPackages) kernel; }; 11 | in 12 | { 13 | options = { 14 | hardware.xilinx.xrt-drivers.enable = lib.mkEnableOption "Propritary kernel drivers for flashing firmware"; 15 | }; 16 | 17 | config = { 18 | environment.systemPackages = [ 19 | (packages.xilinx-env.override { 20 | xilinxName = "xilinx-shell"; 21 | runScript = "bash"; 22 | }) 23 | (packages.xilinx-env.override { 24 | xilinxName = "vitis"; 25 | runScript = "vitis"; 26 | }) 27 | packages.xntools-core 28 | ]; 29 | 30 | services.udev.packages = [ packages.xilinx-cable-drivers ]; 31 | 32 | # 6.0+ kernel 33 | boot.extraModulePackages = lib.optional (config.hardware.xilinx.xrt-drivers.enable) xrt-drivers; 34 | 35 | # hardware.graphics.extraPackages = [ packages.xrt ]; 36 | }; 37 | } 38 | -------------------------------------------------------------------------------- /hosts/nardole.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ../modules/bonding.nix 4 | ../modules/ipmi-supermicro.nix 5 | ../modules/hardware/supermicro-X12SCZ-TLN4F.nix 6 | # TODO: nardole needs to be re-installed with disko, if this machine is revived. 7 | ../modules/disko-zfs.nix 8 | ]; 9 | 10 | networking.hostName = "nardole"; 11 | 12 | # unused 1Gbit/s port, messes up k3s networking 13 | systemd.network.networks."05-unmanaged".extraConfig = '' 14 | [Match] 15 | MACAddress = b0:3a:f2:b6:05:9f 3c:ec:ef:2c:f5:14 3c:ec:ef:2c:f5:15 16 | 17 | [Link] 18 | ActivationPolicy = down 19 | ''; 20 | 21 | programs.ssh.knownHosts = { 22 | bill.hostNames = [ 23 | "nfs" 24 | "nfs-backup" 25 | ]; 26 | bill.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGurhMZktK5kPgxj8GVPEhjH5aa/ZXrG/FjXnWOIjNrS"; 27 | }; 28 | 29 | networking.doctowho.bonding.macs = [ 30 | "b8:ce:f6:0b:ee:74" 31 | "b8:ce:f6:0b:ee:75" 32 | ]; 33 | 34 | simd.arch = "skylake"; 35 | 36 | system.stateVersion = "20.09"; 37 | } 38 | -------------------------------------------------------------------------------- /docs/get-lldp-neighbors.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | hostname=$(echo "$1" | cut -d"." -f"1") 4 | report="$hostname" 5 | 6 | lldp=$(ssh "$1" -- networkctl lldp --full --no-pager --no-legend) 7 | 8 | while read -r NEIGHBOR; do 9 | INTERFACE=$(echo $NEIGHBOR | cut -d ' ' -f1) 10 | NEIGHBOR_CHASSIS_ID=$(echo $NEIGHBOR | cut -d ' ' -f2) 11 | NEIGHBOR_NAME=$(echo $NEIGHBOR | cut -d ' ' -f3) 12 | LINK_SPEED=$(ssh "$1" -- cat /sys/class/net/"$INTERFACE"/speed < /dev/null) 13 | 14 | # search for chassis id 15 | NEIGHBOR_INTERFACE=$(grep -d skip -E "IF: [[:alnum:]:[:space:]]* mac: $NEIGHBOR_CHASSIS_ID" ../*) 16 | 17 | # replace chassis id and neighbor name if mac address is known 18 | if [ -n "$NEIGHBOR_INTERFACE" ]; then 19 | NEIGHBOR_NAME=$(echo $NEIGHBOR_INTERFACE | cut -d '/' -f2 | cut -d '.' -f1) 20 | NEIGHBOR_CHASSIS_ID=$(echo $NEIGHBOR_INTERFACE | awk '{print $3}') 21 | fi 22 | 23 | echo "$INTERFACE ${LINK_SPEED::-3}G $NEIGHBOR_CHASSIS_ID $NEIGHBOR_NAME" 24 | done <<< "${lldp}" > "$report" 25 | 26 | echo "wrote $report" >&2 27 | -------------------------------------------------------------------------------- /modules/hardware/supermicro-120U-TNR.nix: -------------------------------------------------------------------------------- 1 | # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 | # and may be overwritten by future invocations. Please make changes 3 | # to /etc/nixos/configuration.nix instead. 4 | { 5 | config, 6 | lib, 7 | modulesPath, 8 | ... 9 | }: 10 | 11 | { 12 | imports = [ 13 | (modulesPath + "/installer/scan/not-detected.nix") 14 | ../ipmi-supermicro.nix 15 | ]; 16 | 17 | boot.initrd.availableKernelModules = [ 18 | "ahci" 19 | "xhci_pci" 20 | "usbhid" 21 | "sd_mod" 22 | ]; 23 | boot.initrd.kernelModules = [ ]; 24 | boot.kernelModules = [ "kvm-intel" ]; 25 | boot.extraModulePackages = [ ]; 26 | 27 | fileSystems."/" = { 28 | device = "zroot/root/nixos"; 29 | fsType = "zfs"; 30 | }; 31 | 32 | fileSystems."/boot" = { 33 | device = "/dev/disk/by-label/NIXOS_BOOT"; 34 | fsType = "vfat"; 35 | options = [ "nofail" ]; 36 | }; 37 | 38 | swapDevices = [ ]; 39 | 40 | hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 41 | } 42 | -------------------------------------------------------------------------------- /modules/nvidia-jetson-passthru/patches/0002-vfio_platform-reset-required-false.patch: -------------------------------------------------------------------------------- 1 | From 03c7ecfd16e46838ab70c43a18990ef3dd35d08c Mon Sep 17 00:00:00 2001 2 | From: Juan Pablo Ruiz 3 | Date: Thu, 4 May 2023 12:19:37 +0400 4 | Subject: [PATCH 2/3] vfio_platform: reset required false 5 | 6 | --- 7 | drivers/vfio/platform/vfio_platform.c | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/drivers/vfio/platform/vfio_platform.c b/drivers/vfio/platform/vfio_platform.c 11 | index 1e2769010089..3eabe37f400d 100644 12 | --- a/drivers/vfio/platform/vfio_platform.c 13 | +++ b/drivers/vfio/platform/vfio_platform.c 14 | @@ -15,7 +15,7 @@ 15 | #define DRIVER_AUTHOR "Antonios Motakis " 16 | #define DRIVER_DESC "VFIO for platform devices - User Level meta-driver" 17 | 18 | -static bool reset_required = true; 19 | +static bool reset_required = false; 20 | module_param(reset_required, bool, 0444); 21 | MODULE_PARM_DESC(reset_required, "override reset requirement (default: 1)"); 22 | 23 | -- 24 | 2.25.1 25 | -------------------------------------------------------------------------------- /home/.config/nixpkgs/home.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | pkgs, 4 | ... 5 | }: { 6 | # Home Manager needs a bit of information about you and the 7 | # paths it should manage. 8 | home.username = "username"; 9 | home.homeDirectory = "/home/username"; 10 | 11 | # This value determines the Home Manager release that your 12 | # configuration is compatible with. This helps avoid breakage 13 | # when a new Home Manager release introduces backwards 14 | # incompatible changes. 15 | # 16 | # You can update Home Manager without changing this value. See 17 | # the Home Manager release notes for a list of state version 18 | # changes in each release. 19 | home.stateVersion = "21.11"; 20 | 21 | # Let Home Manager install and manage itself. 22 | programs.home-manager.enable = true; 23 | 24 | # For the VS code 25 | # https://github.com/msteen/nixos-vscode-server#home-manager 26 | imports = [ 27 | "${fetchTarball "https://github.com/msteen/nixos-vscode-server/tarball/master"}/modules/vscode-server/home.nix" 28 | ]; 29 | 30 | services.vscode-server.enable = true; 31 | } 32 | -------------------------------------------------------------------------------- /modules/apple-silicon-support/packages/speakersafetyd/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | rustPlatform, 3 | stdenv, 4 | rust, 5 | fetchCrate, 6 | pkg-config, 7 | alsa-lib, 8 | }: 9 | 10 | rustPlatform.buildRustPackage rec { 11 | pname = "speakersafetyd"; 12 | # tracking: https://src.fedoraproject.org/rpms/rust-speakersafetyd 13 | version = "0.1.9"; 14 | 15 | nativeBuildInputs = [ pkg-config ]; 16 | buildInputs = [ alsa-lib ]; 17 | 18 | src = fetchCrate { 19 | inherit pname version; 20 | hash = "sha256-I1fL1U4vqKxPS1t6vujMTdi/JAAOCcPkvUqv6FqkId4="; 21 | }; 22 | cargoHash = "sha256-Adwct+qFhUsOIao8XqNK2zcn13DBlQNA+X4aRFeIAXM="; 23 | 24 | postPatch = '' 25 | substituteInPlace speakersafetyd.service --replace "/usr" "$out" 26 | substituteInPlace Makefile --replace "target/release" "target/${rust.lib.toRustTargetSpec stdenv.hostPlatform}/$cargoBuildType" 27 | ''; 28 | 29 | installFlags = [ 30 | "DESTDIR=${placeholder "out"}" 31 | "BINDIR=/bin" 32 | "SHAREDIR=/share" 33 | "TMPFILESDIR=/lib/tmpfiles.d" 34 | ]; 35 | 36 | dontCargoInstall = true; 37 | } 38 | -------------------------------------------------------------------------------- /pkgs/kata-runtime/kata-runtimes.nix: -------------------------------------------------------------------------------- 1 | { stdenv, lib, kata-runtime, autoPatchelfHook }: 2 | let version = "3.23.0"; 3 | in stdenv.mkDerivation rec { 4 | pname = "kata-runtimes"; 5 | inherit version; 6 | 7 | dontUnpack = true; 8 | 9 | nativeBuildInputs = [ autoPatchelfHook ]; 10 | 11 | buildInputs = [ ]; 12 | 13 | buildPhase = '' 14 | mkdir bin 15 | printf "#!/usr/bin/env bash\nKATA_CONF_FILE=/etc/kata-containers/configuration-fc.toml ${kata-runtime}/bin/containerd-shim-kata-v2 \$@" > bin/containerd-shim-kata-fc-v2 16 | printf "#!/usr/bin/env bash\nKATA_CONF_FILE=/etc/kata-containers/configuration-qemu.toml ${kata-runtime}/bin/containerd-shim-kata-v2 \$@" > bin/containerd-shim-kata-qemu-v2 17 | printf "#!/usr/bin/env bash\nKATA_CONF_FILE=/etc/kata-containers/configuration-snp.toml ${kata-runtime}/bin/containerd-shim-kata-v2 \$@" > bin/containerd-shim-kata-snp-v2 18 | chmod +x bin/* 19 | 20 | 21 | ''; 22 | 23 | installPhase = '' 24 | runHook preInstall 25 | mkdir -p $out/bin 26 | cp -r bin/* $out/bin/ 27 | runHook postInstall 28 | ''; 29 | 30 | } 31 | -------------------------------------------------------------------------------- /modules/hardware/supermicro-x12spw-tf.nix: -------------------------------------------------------------------------------- 1 | # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 | # and may be overwritten by future invocations. Please make changes 3 | # to /etc/nixos/configuration.nix instead. 4 | { 5 | config, 6 | lib, 7 | modulesPath, 8 | ... 9 | }: 10 | 11 | { 12 | imports = [ 13 | (modulesPath + "/installer/scan/not-detected.nix") 14 | ../ipmi-supermicro.nix 15 | ]; 16 | 17 | boot.initrd.availableKernelModules = [ 18 | "ahci" 19 | "xhci_pci" 20 | "megaraid_sas" 21 | "usbhid" 22 | "sd_mod" 23 | ]; 24 | boot.initrd.kernelModules = [ ]; 25 | boot.kernelModules = [ "kvm-intel" ]; 26 | boot.extraModulePackages = [ ]; 27 | 28 | fileSystems."/" = { 29 | device = "zroot/root/nixos"; 30 | fsType = "zfs"; 31 | }; 32 | 33 | fileSystems."/boot" = { 34 | device = "/dev/disk/by-label/NIXOS_BOOT"; 35 | fsType = "vfat"; 36 | options = [ "nofail" ]; 37 | }; 38 | 39 | swapDevices = [ ]; 40 | 41 | hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 42 | } 43 | -------------------------------------------------------------------------------- /hosts/clara.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ../modules/ipmi-supermicro.nix 4 | ../modules/hardware/supermicro-AS-4124GS.nix 5 | ../modules/disko-zfs.nix 6 | ../modules/nfs/client.nix 7 | ../modules/dpdk.nix 8 | 9 | ../modules/amd_sev_snp.nix 10 | ../modules/xilinx.nix 11 | ../modules/xrdp.nix 12 | ]; 13 | 14 | networking.hostName = "clara"; 15 | 16 | # for some reason the disk naming/usage of /dev/nvme{0,1}n1 is 17 | # inconsistent on this server compared to others. Lets now be 18 | # super explicit, in case this is due to inconsistent device 19 | # naming by kernels. 20 | disko.rootDisk = "/dev/disk/by-id/nvme-SAMSUNG_MZQL21T9HCJR-00A07_S64GNA0T724988"; 21 | 22 | boot.hugepages1GB.number = 8; 23 | 24 | simd.arch = "znver3"; 25 | system.stateVersion = "22.11"; 26 | 27 | networking.doctor-bridge.enable = true; 28 | 29 | # manually added to load xilinx from 30 | fileSystems."/share" = { 31 | device = "nfs:/export/share"; 32 | fsType = "nfs4"; 33 | options = [ 34 | "nofail" 35 | "ro" 36 | "timeo=14" 37 | ]; 38 | }; 39 | } 40 | -------------------------------------------------------------------------------- /modules/auto-upgrade.nix: -------------------------------------------------------------------------------- 1 | { pkgs, lib, ... }: 2 | { 3 | system.autoUpgrade.enable = lib.mkDefault true; 4 | system.autoUpgrade.flake = "github:TUM-DSE/doctor-cluster-config"; 5 | system.autoUpgrade.flags = [ 6 | "--option" 7 | "accept-flake-config" 8 | "true" 9 | ]; 10 | 11 | # add a random jitter so not all machines reboot at the same time. 12 | systemd.timers.auto-reboot.timerConfig.RandomizedDelaySec = 60 * 20; 13 | 14 | systemd.services.auto-reboot = { 15 | path = [ 16 | pkgs.systemd 17 | pkgs.util-linux 18 | ]; 19 | # The last saturday in a month 20 | startAt = "Sat *-*~07/1"; 21 | script = '' 22 | booted="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})" 23 | built="$(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})" 24 | if [ "''${booted}" = "''${built}" ]; then 25 | echo "No kernel update... skipping reboot" 26 | else 27 | # reboot in 24 hours 28 | msg=$(shutdown -r +${toString (60 * 24)} 2>&1) 29 | echo "$msg" | wall 30 | fi 31 | ''; 32 | }; 33 | } 34 | -------------------------------------------------------------------------------- /modules/hardware/macmini-m1.nix: -------------------------------------------------------------------------------- 1 | # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 | # and may be overwritten by future invocations. Please make changes 3 | # to /etc/nixos/configuration.nix instead. 4 | { lib, modulesPath, ... }: 5 | 6 | { 7 | imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; 8 | 9 | boot.initrd.availableKernelModules = [ 10 | "xhci_pci" 11 | "usbhid" 12 | "usb_storage" 13 | ]; 14 | boot.initrd.kernelModules = [ ]; 15 | boot.kernelModules = [ ]; 16 | boot.extraModulePackages = [ ]; 17 | 18 | fileSystems."/" = { 19 | device = "zroot/root/nixos"; 20 | fsType = "zfs"; 21 | }; 22 | 23 | fileSystems."/boot" = { 24 | device = "/dev/disk/by-uuid/810C-14F6"; 25 | fsType = "vfat"; 26 | }; 27 | 28 | fileSystems."/tmp" = { 29 | device = "zroot/root/tmp"; 30 | fsType = "zfs"; 31 | }; 32 | 33 | swapDevices = [ ]; 34 | 35 | hardware.asahi.pkgsSystem = "aarch64-linux"; 36 | nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; 37 | powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; 38 | } 39 | -------------------------------------------------------------------------------- /modules/hardware/morello.nix: -------------------------------------------------------------------------------- 1 | # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 | # and may be overwritten by future invocations. Please make changes 3 | # to /etc/nixos/configuration.nix instead. 4 | { 5 | config, 6 | lib, 7 | pkgs, 8 | modulesPath, 9 | ... 10 | }: 11 | 12 | { 13 | imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; 14 | 15 | boot.initrd.availableKernelModules = [ "xhci_pci" ]; 16 | boot.initrd.kernelModules = [ ]; 17 | boot.kernelModules = [ ]; 18 | boot.extraModulePackages = [ ]; 19 | 20 | # Enables DHCP on each ethernet and wireless interface. In case of scripted networking 21 | # (the default) this is the recommended approach. When using systemd-networkd it's 22 | # still possible to use this option, but it's recommended to use it in conjunction 23 | # with explicit per-interface declarations with `networking.interfaces..useDHCP`. 24 | networking.useDHCP = lib.mkDefault true; 25 | # networking.interfaces.eth0.useDHCP = lib.mkDefault true; 26 | 27 | nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; 28 | } 29 | -------------------------------------------------------------------------------- /templates/home-manager/flake.nix: -------------------------------------------------------------------------------- 1 | { 2 | description = "Home Manager configuration"; 3 | 4 | # update flake.lock to latest nixos-23.11: `nix flake update` 5 | inputs = { 6 | nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11"; 7 | home-manager = { 8 | url = "github:nix-community/home-manager/release-23.11"; 9 | inputs.nixpkgs.follows = "nixpkgs"; 10 | }; 11 | }; 12 | 13 | outputs = 14 | { 15 | self, 16 | nixpkgs, 17 | home-manager, 18 | ... 19 | }: 20 | let 21 | system = "x86_64-linux"; 22 | pkgs = nixpkgs.legacyPackages.${system}; 23 | username = "jdoe"; 24 | in 25 | { 26 | homeConfigurations.${username} = home-manager.lib.homeManagerConfiguration { 27 | inherit pkgs; 28 | modules = [ ./home.nix ]; 29 | extraSpecialArgs = { 30 | inherit username; 31 | }; 32 | }; 33 | 34 | apps.${system}."switch-${username}-hm" = { 35 | type = "app"; 36 | program = "${self.homeConfigurations.${username}.activationPackage}/activate"; 37 | }; 38 | }; 39 | } 40 | -------------------------------------------------------------------------------- /modules/buildbot/worker.nix: -------------------------------------------------------------------------------- 1 | { config, inputs, ... }: 2 | { 3 | imports = [ 4 | ./hostfile.nix 5 | inputs.buildbot-nix.nixosModules.buildbot-worker 6 | ]; 7 | 8 | sops.secrets.buildbot-builder-ssh-key = { }; 9 | sops.secrets.buildbot-nix-worker-password.owner = "buildbot-worker"; 10 | 11 | nix.distributedBuilds = true; 12 | nix.buildMachines = [ 13 | { 14 | hostName = "eliza.dos.cit.tum.de"; 15 | maxJobs = 192; 16 | sshKey = config.sops.secrets.buildbot-builder-ssh-key.path; 17 | sshUser = "buildbot-worker"; 18 | protocol = "ssh-ng"; 19 | system = "aarch64-linux"; 20 | supportedFeatures = [ 21 | "big-parallel" 22 | "kvm" 23 | "nixos-test" 24 | ]; 25 | } 26 | ]; 27 | # for working around cross-compiling quirks when building ruby 28 | boot.binfmt.emulatedSystems = [ "riscv64-linux" ]; 29 | 30 | services.buildbot-nix.worker = { 31 | enable = true; 32 | masterUrl = ''tcp:host=2a09\:80c0\:102\:\:11:port=9989''; 33 | workerPasswordFile = config.sops.secrets.buildbot-nix-worker-password.path; 34 | }; 35 | } 36 | -------------------------------------------------------------------------------- /.github/workflows/update-flake-inputs.yml: -------------------------------------------------------------------------------- 1 | name: Update Flake Inputs 2 | on: 3 | schedule: 4 | - cron: "0 2 * * *" 5 | workflow_dispatch: 6 | jobs: 7 | update-flake-inputs: 8 | runs-on: ubuntu-latest 9 | permissions: 10 | contents: write 11 | pull-requests: write 12 | steps: 13 | - name: Generate GitHub App Token 14 | id: app-token 15 | uses: actions/create-github-app-token@v2 16 | with: 17 | app-id: ${{ secrets.APP_ID }} 18 | private-key: ${{ secrets.APP_PRIVATE_KEY }} 19 | - name: Checkout repository 20 | uses: actions/checkout@v6 21 | with: 22 | token: ${{ steps.app-token.outputs.token }} 23 | - name: Setup Nix 24 | uses: cachix/install-nix-action@v31 25 | - name: Update flake inputs 26 | uses: mic92/update-flake-inputs@main 27 | with: 28 | github-token: ${{ steps.app-token.outputs.token }} 29 | auto-merge: true 30 | # Optional: exclude specific files or inputs 31 | # exclude-patterns: 'tests/**/flake.nix,examples/**/flake.nix#home-manager' -------------------------------------------------------------------------------- /modules/disko-ext4.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | { 3 | options = { 4 | disko.rootDisk = lib.mkOption { 5 | type = lib.types.str; 6 | description = "The device to use for the disk"; 7 | }; 8 | }; 9 | config = { 10 | disko.devices = { 11 | disk = { 12 | main = { 13 | device = config.disko.rootDisk; 14 | type = "disk"; 15 | content = { 16 | type = "gpt"; 17 | partitions = { 18 | ESP = { 19 | type = "EF00"; 20 | size = "1G"; 21 | content = { 22 | type = "filesystem"; 23 | format = "vfat"; 24 | mountpoint = "/boot"; 25 | }; 26 | }; 27 | root = { 28 | size = "100%"; 29 | content = { 30 | type = "filesystem"; 31 | format = "ext4"; 32 | mountpoint = "/"; 33 | }; 34 | }; 35 | }; 36 | }; 37 | }; 38 | }; 39 | }; 40 | }; 41 | } 42 | -------------------------------------------------------------------------------- /modules/nix-ld.nix: -------------------------------------------------------------------------------- 1 | { lib, pkgs, ... }: 2 | { 3 | # Enable nix ld 4 | programs.nix-ld.enable = !pkgs.stdenv.hostPlatform.isRiscV; 5 | programs.nix-ld.libraries = with pkgs; [ 6 | stdenv.cc.cc 7 | zlib 8 | fuse3 9 | alsa-lib 10 | at-spi2-atk 11 | atk 12 | cairo 13 | cups 14 | curl 15 | dbus 16 | expat 17 | fontconfig 18 | freetype 19 | gdk-pixbuf 20 | glib 21 | gtk2 22 | gtk3 23 | libGL 24 | libappindicator-gtk3 25 | libdrm 26 | libnotify 27 | libpulseaudio 28 | libuuid 29 | libxkbcommon 30 | mesa 31 | nspr 32 | nss 33 | pango 34 | pipewire 35 | systemd 36 | xorg.libX11 37 | xorg.libXScrnSaver 38 | xorg.libXcomposite 39 | xorg.libXcursor 40 | xorg.libXdamage 41 | xorg.libXext 42 | xorg.libXfixes 43 | xorg.libXi 44 | xorg.libXrandr 45 | xorg.libXrender 46 | xorg.libXtst 47 | xorg.libxkbfile 48 | xorg.libxshmfence 49 | xorg.libXft 50 | xorg.libxcb 51 | zlib 52 | (lib.lowPrio ncurses5) # xgdb from xilinx vitis 53 | ncurses 54 | libxcrypt 55 | ]; 56 | } 57 | -------------------------------------------------------------------------------- /modules/monitoring/telegraf.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | let 3 | urls = [ 4 | "adelaide.r" 5 | "amy.r" 6 | "astrid.r" 7 | "bill.r" 8 | "christina.r" 9 | "clara.r" 10 | "dan.r" 11 | "graham.r" 12 | "jack.r" 13 | "jackson.r" 14 | "mickey.r" 15 | "nardole.r" 16 | "river.r" 17 | "rose.r" 18 | "ryan.r" 19 | "vislor.r" 20 | "wilfred.r" 21 | "yasmin.r" 22 | ]; 23 | in 24 | { 25 | services.telegraf.extraConfig.inputs = { 26 | ping = map (url: { 27 | method = "native"; 28 | urls = [ "6.${url}" ]; 29 | ipv6 = true; 30 | tags.org = "uni"; 31 | tags.host = lib.removeSuffix ".r" url; 32 | }) urls; 33 | net_response = map (host: { 34 | protocol = "tcp"; 35 | address = "${host}:22"; 36 | tags.host = host; 37 | tags.org = "uni"; 38 | send = "SSH-2.0-Telegraf"; 39 | expect = "SSH-2.0"; 40 | timeout = "10s"; 41 | }) urls; 42 | 43 | x509_cert = [ 44 | { 45 | sources = [ "https://web.dos.cit.tum.de:443" ]; 46 | tags.host = "vmbhatotia19"; 47 | tags.org = "uni"; 48 | } 49 | ]; 50 | }; 51 | } 52 | -------------------------------------------------------------------------------- /modules/scratch-space.nix: -------------------------------------------------------------------------------- 1 | # R /dir/to/remove/recursively - - - - - 2 | { lib, config, ... }: 3 | { 4 | # Create scratch space per user. 5 | # The scratch space is not backed up! 6 | # /scratch is stored on the local rootfs (usually zfs) instead of NFS 7 | # /scratch2 is meant for dedicated storage devices. We usually use a faster 8 | # more common fileystem i.e. ext4. Use this for 9 | # benchmarks/evaluation if present. This block device might be more 10 | # of re-formatted in order to have consistent measurement results 11 | systemd.tmpfiles.rules = 12 | let 13 | loginUsers = lib.filterAttrs (_n: v: v.isNormalUser || v.name == "root") config.users.users; 14 | in 15 | (lib.mapAttrsToList (n: _v: "d /scratch/${n} 0755 ${n} users -") loginUsers) 16 | ++ (builtins.map (n: "R /scratch/${n} - - - - -") config.users.deletedUsers) 17 | ++ (lib.optionals (config.fileSystems ? "/scratch2") ( 18 | (lib.mapAttrsToList (n: _v: "d /scratch2/${n} 0755 ${n} users -") loginUsers) 19 | ++ (builtins.map (n: "R /scratch/${n} - - - - -") config.users.deletedUsers) 20 | )); 21 | } 22 | -------------------------------------------------------------------------------- /hosts/jackson.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | { 3 | imports = [ 4 | ../modules/hardware/supermicro-x12spw-tf.nix 5 | ../modules/nfs/client.nix 6 | ../modules/dpdk.nix 7 | ../modules/vfio/iommu-intel.nix 8 | ]; 9 | 10 | networking.hostName = "jackson"; 11 | 12 | boot.hugepages1GB.number = 8; 13 | 14 | # Don't manage vnet interface with systemd-networkd 15 | systemd.network.networks."05-jackson_sn1000_host".extraConfig = '' 16 | [Match] 17 | Name=enp81s0f1 18 | [Network] 19 | Address=192.168.1.11/24 20 | [Link] 21 | Description=SN1000 Host Interface 22 | ''; 23 | # Unmanaged=yes 24 | simd.arch = "icelake-server"; 25 | 26 | system.stateVersion = "21.11"; 27 | 28 | services.github-runners.jackson = { 29 | enable = true; 30 | url = "https://github.com/TUM-DSE"; 31 | name = "jackson"; 32 | tokenFile = config.sops.secrets.github-runner-token.path; 33 | extraLabels = [ "icelake" ]; 34 | ephemeral = false; 35 | replace = true; 36 | extraPackages = with pkgs; [ 37 | git 38 | nix 39 | ]; 40 | }; 41 | 42 | sops.secrets = { 43 | github-runner-token = { }; 44 | }; 45 | } 46 | 47 | -------------------------------------------------------------------------------- /modules/nvidia-jetson-passthru/patches/0002-Bpmp-host-allows-all-domains.patch: -------------------------------------------------------------------------------- 1 | From a697932170ca65b32b2d193a7abfe88da614c1ea Mon Sep 17 00:00:00 2001 2 | From: Juan Pablo Ruiz 3 | Date: Sun, 1 Dec 2024 20:13:20 +0200 4 | Subject: [PATCH 2/2] Bpmp-host: allows all domains 5 | 6 | Signed-off-by: Juan Pablo Ruiz 7 | --- 8 | drivers/firmware/tegra/bpmp-host-proxy/bpmp-host-proxy.c | 2 +- 9 | 1 file changed, 1 insertion(+), 1 deletion(-) 10 | 11 | diff --git a/drivers/firmware/tegra/bpmp-host-proxy/bpmp-host-proxy.c b/drivers/firmware/tegra/bpmp-host-proxy/bpmp-host-proxy.c 12 | index a17fa9cafe2f..bc22a474756e 100755 13 | --- a/drivers/firmware/tegra/bpmp-host-proxy/bpmp-host-proxy.c 14 | +++ b/drivers/firmware/tegra/bpmp-host-proxy/bpmp-host-proxy.c 15 | @@ -38,7 +38,7 @@ MODULE_VERSION("0.1"); ///< A version number to inform users 16 | * "clk_ignore_unused pd_ignore_unused" in kernel command line 17 | * 18 | */ 19 | -#define BPMP_HOST_ALLOWS_ALL 0 20 | +#define BPMP_HOST_ALLOWS_ALL 1 21 | 22 | #if BPMP_HOST_VERBOSE 23 | #define deb_info(...) printk(KERN_INFO DEVICE_NAME ": "__VA_ARGS__) 24 | -- 25 | 2.34.1 26 | 27 | -------------------------------------------------------------------------------- /pkgs/xilinx/firmware-sn1000.nix: -------------------------------------------------------------------------------- 1 | { stdenv, fetchurl, dpkg, autoPatchelfHook }: 2 | 3 | let 4 | firmware = fetchurl { 5 | url = "https://archive.org/download/firmware-sn1000_1.1.1.1021-1_all/firmware-sn1000_1.1.1.1021-1_all.deb"; 6 | hash = "sha256-KobdUPGJXVaZI1aX+ICR1Ns0Ut05HSRBEpz+C20VzlA="; 7 | }; 8 | firmwareConfig = fetchurl { 9 | url = "https://archive.org/download/firmware-sn1000_1.1.1.1021-1_all/firmware-sn1000-config_1.1.0.1-1_all.deb"; 10 | hash = "sha256-eR+Q70RIJ5zFt9zN0IFZEg85NDN3f3Q1sOq9bQrXy7k="; 11 | }; 12 | in 13 | stdenv.mkDerivation { 14 | pname = "firmware-sn1000"; 15 | version = "1.1.0.1-1"; 16 | 17 | nativeBuildInputs = [ dpkg ]; 18 | dontPatchelf = true; 19 | dontStrip = true; 20 | unpackPhase = '' 21 | mkdir firmware firmware-config 22 | dpkg-deb -x ${firmware} firmware 23 | dpkg-deb -x ${firmwareConfig} firmware-config 24 | chmod -R +w . 25 | ''; 26 | 27 | installPhase = '' 28 | mkdir -p $out/lib 29 | cp -r firmware-config/lib/* $out/lib 30 | cp -r firmware/lib/* $out/lib 31 | ''; 32 | 33 | meta = { 34 | description = "SmartNIC firmware and firmware configuration"; 35 | platforms = [ "x86_64-linux" ]; 36 | }; 37 | } 38 | -------------------------------------------------------------------------------- /modules/yasmin-hardware.nix: -------------------------------------------------------------------------------- 1 | # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 | # and may be overwritten by future invocations. Please make changes 3 | # to /etc/nixos/configuration.nix instead. 4 | { lib, modulesPath, ... }: 5 | { 6 | imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; 7 | 8 | boot.initrd.availableKernelModules = [ 9 | "xhci_pci" 10 | "ahci" 11 | "mpt3sas" 12 | "usb_storage" 13 | "usbhid" 14 | "sr_mod" 15 | ]; 16 | boot.initrd.kernelModules = [ ]; 17 | boot.kernelModules = [ ]; 18 | boot.extraModulePackages = [ ]; 19 | 20 | fileSystems."/" = { 21 | device = "zroot/root/nixos"; 22 | fsType = "zfs"; 23 | }; 24 | 25 | fileSystems."/boot" = { 26 | device = "/dev/disk/by-uuid/0D40-D110"; 27 | fsType = "vfat"; 28 | }; 29 | 30 | fileSystems."/scratch2" = { 31 | device = "/dev/disk/by-uuid/d45731c3-7b21-41e9-8ef1-a072255a5d2d"; 32 | fsType = "ext4"; 33 | options = [ "nofail" ]; 34 | }; 35 | 36 | fileSystems."/tmp" = { 37 | device = "zroot/root/tmp"; 38 | fsType = "zfs"; 39 | }; 40 | 41 | swapDevices = [ ]; 42 | 43 | powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; 44 | } 45 | -------------------------------------------------------------------------------- /pkgs/ipmctl.nix: -------------------------------------------------------------------------------- 1 | { stdenv 2 | , fetchurl 3 | , libndctl 4 | , systemd 5 | , cmake 6 | , python3 7 | , pkg-config 8 | , asciidoctor 9 | , asciidoc 10 | , lib 11 | , rpmextract 12 | }: 13 | 14 | stdenv.mkDerivation rec { 15 | pname = "ipmctl"; 16 | version = "03.00.00.0485"; 17 | src = fetchurl { 18 | url = "https://github.com/intel/ipmctl/releases/download/v${version}-2/ipmctl-${version}-1.fc27.src.rpm"; 19 | sha256 = "sha256-mtKe9iTxavmM17NISwysnPWaFvA5mj6TZwNtBrx8s9U="; 20 | }; 21 | buildInputs = [ libndctl systemd ]; 22 | unpackPhase = '' 23 | rpmextract $src 24 | tar -xf ipmctl-${version}.tar.gz 25 | cd ipmctl-${version} 26 | ''; 27 | NIX_CFLAGS_COMPILE = "-Wno-error"; 28 | nativeBuildInputs = [ cmake python3 pkg-config asciidoctor asciidoc rpmextract ]; 29 | cmakeFlags = [ 30 | "-DBUILDNUM=1" 31 | "-DLINUX_PRODUCT_NAME=ipmctl" 32 | "-DRELEASE=ON" 33 | ]; 34 | 35 | meta = with lib; { 36 | description = "Utility for configuring and managing Intel Optane Persistent Memory modules"; 37 | homepage = "https://github.com/intel/ipmctl"; 38 | license = licenses.mit; 39 | maintainers = with maintainers; [ mic92 ]; 40 | platforms = platforms.unix; 41 | }; 42 | } 43 | -------------------------------------------------------------------------------- /pkgs/xilinx/xrt-drivers.nix: -------------------------------------------------------------------------------- 1 | { stdenv, kernel, xrt, lib }: 2 | let 3 | KERNELDIR = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"; 4 | in 5 | stdenv.mkDerivation { 6 | name = "xrt-drivers"; 7 | dontUnpack = true; 8 | buildPhase = '' 9 | export INSTALL_MOD_PATH="$out" 10 | 11 | cp -r ${xrt.src}/* . 12 | chmod -R +w . 13 | cd src/runtime_src/core/pcie/driver/linux/xocl/ 14 | 15 | cp ${xrt}/src/xrt-*/driver/include/version.h . 16 | 17 | pushd mgmtpf 18 | cp ${xrt}/src/xrt-*/driver/include/version.h . 19 | make -C "${KERNELDIR}" -j$NIX_BUILD_CORES M=$(pwd) 20 | popd 21 | 22 | pushd userpf 23 | cp ${xrt}/src/xrt-*/driver/include/version.h . 24 | make -C "${KERNELDIR}" -j$NIX_BUILD_CORES M=$(pwd) 25 | popd 26 | ''; 27 | 28 | installPhase = '' 29 | pushd mgmtpf 30 | make -C "${KERNELDIR}" -j$NIX_BUILD_CORES M=$(pwd) modules_install 31 | popd 32 | 33 | pushd userpf 34 | make -C "${KERNELDIR}" -j$NIX_BUILD_CORES M=$(pwd) modules_install 35 | popd 36 | ''; 37 | 38 | passthru = { inherit xrt; }; 39 | 40 | meta = with lib; { 41 | description = "kernel drivers for xrt runtime"; 42 | platforms = platforms.linux; 43 | }; 44 | } 45 | -------------------------------------------------------------------------------- /terraform/github-permissions/bots.tf: -------------------------------------------------------------------------------- 1 | module "ls1-courses" { 2 | source = "../modules/github-push-bot" 3 | org_name = "ls1-courses" 4 | bot_github_token = data.sops_file.secrets.data["ls1-admin-bot-token"] 5 | } 6 | module "cloudlab-course" { 7 | source = "../modules/github-push-bot" 8 | org_name = "ls1-cloud-lab-course" 9 | bot_github_token = data.sops_file.secrets.data["ls1-admin-bot-token"] 10 | } 11 | module "ls1-sys-prog-course" { 12 | source = "../modules/github-push-bot" 13 | org_name = "ls1-sys-prog-course" 14 | bot_github_token = data.sops_file.secrets.data["ls1-admin-bot-token"] 15 | } 16 | module "ls1-adv-sys-prog-course" { 17 | source = "../modules/github-push-bot" 18 | org_name = "ls1-adv-sys-prog-course" 19 | bot_github_token = data.sops_file.secrets.data["ls1-admin-bot-token"] 20 | } 21 | module "TUM-DSE" { 22 | source = "../modules/github-push-bot" 23 | org_name = "TUM-DSE" 24 | bot_github_token = data.sops_file.secrets.data["doctor-cluster-bot-token"] 25 | } 26 | 27 | output "invite-urls" { 28 | value = [ 29 | module.TUM-DSE, 30 | module.ls1-courses, 31 | module.cloudlab-course, 32 | module.ls1-sys-prog-course, 33 | module.ls1-adv-sys-prog-course, 34 | ] 35 | } 36 | -------------------------------------------------------------------------------- /hosts/bill.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ../modules/ipmi-supermicro.nix 4 | ../modules/bonding.nix 5 | 6 | ../modules/hardware/supermicro-X12SCZ-TLN4F.nix 7 | ../modules/disko-zfs.nix 8 | ../modules/nfs/client.nix 9 | ../modules/dpdk.nix 10 | 11 | ../modules/xilinx.nix 12 | ../modules/xrdp.nix 13 | ]; 14 | 15 | networking.hostName = "bill"; 16 | 17 | networking.doctowho.bonding.macs = [ 18 | "b8:ce:f6:0b:ee:64" 19 | "b8:ce:f6:0b:ee:65" 20 | ]; 21 | 22 | simd.arch = "skylake"; 23 | 24 | # unused 1Gbit/s port, messes up k3s networking 25 | systemd.network.networks."05-unmanaged".extraConfig = '' 26 | [Match] 27 | MACAddress = b0:3a:f2:b6:05:9f 3c:ec:ef:2c:f5:54 3c:ec:ef:2c:f5:55 28 | 29 | [Link] 30 | ActivationPolicy = down 31 | ''; 32 | 33 | system.stateVersion = "20.09"; 34 | 35 | disko.rootDisk = "/dev/disk/by-id/nvme-SAMSUNG_MZQL21T9HCJR-00A07_S64GNA0T724988"; 36 | 37 | boot.hugepages1GB.number = 8; 38 | 39 | # manually added to load xilinx from 40 | fileSystems."/share" = { 41 | device = "nfs:/export/share"; 42 | fsType = "nfs4"; 43 | options = [ 44 | "nofail" 45 | "ro" 46 | "timeo=14" 47 | ]; 48 | }; 49 | 50 | } 51 | -------------------------------------------------------------------------------- /docs/morello.md: -------------------------------------------------------------------------------- 1 | # Adding New Users 2 | 3 | When running Morello Debian, adding new users must be done manually. 4 | 1. Create the user with the same uid as specified in `modules/users/*.nix`. 5 | 2. Put the ssh keys into `/etc/ssh/authorized_keys.d/$USER` 6 | 3. `chown $USER:users /etc/ssh/authorized_keys.d/$USER` 7 | 4. `chmod 600 /etc/ssh/authorized_keys/$USER` 8 | 9 | 10 | # Debugging 11 | 12 | Connect your machine to the board using debug USB cable. 13 | 14 | Accessing the Morello console to 15 | troubleshoot/reboot/shutdown: https://ctsrd-cheri.github.io/cheribsd-getting-started/morello-console/index.html 16 | 17 | Currently, ace is connected to `tegan.dos.cit.tum.de`. On tegan, run the following commands. 18 | Please note that the exact tty device may vary, depending on which other machines are connected. 19 | 20 | ```shell 21 | sudo tio /dev/ttyUSB0 22 | # press enter to see if you're on the correct device 23 | # if you are, you should see something like "Cmd>" 24 | ? # for help 25 | REBOOT 26 | ``` 27 | 28 | Usually, `ttyUSB0` serves as the M1SDP MCC console, which allows you to 29 | perform tasks like rebooting. On the other hand, `ttyUSB2` is the console 30 | for the application processor, used to access the bootloader or log in. 31 | 32 | -------------------------------------------------------------------------------- /hosts/vicki.nix: -------------------------------------------------------------------------------- 1 | # this is the mifcom tower pc 2 | { pkgs, ... }: 3 | { 4 | imports = [ 5 | ../modules/hardware/mifcom-tower.nix 6 | ../modules/disko-zfs-ubuntu.nix 7 | ]; 8 | 9 | disko.rootDisk = "/dev/disk/by-id/nvme-Samsung_SSD_990_PRO_1TB_S6Z1NF0WC13969B"; 10 | 11 | # everyone with physical access: 12 | users.users."ls1.internet" = { 13 | isNormalUser = true; 14 | extraGroups = [ 15 | "wheel" 16 | "docker" 17 | "plugdev" 18 | "vboxusers" 19 | "adbusers" 20 | "input" 21 | "admin" 22 | ]; 23 | password = "ls1.internet"; 24 | }; 25 | 26 | # gui 27 | services.xserver.enable = true; 28 | services.xserver.displayManager.gdm.enable = true; 29 | services.xserver.desktopManager.gnome.enable = true; 30 | # disable pulseaudio because it conflicts with our common server config 31 | services.pulseaudio.enable = false; 32 | 33 | # gui packages 34 | environment.systemPackages = with pkgs; [ 35 | # fprintd # seems to brick the login screen on ThinkPad E14 amd 36 | pkgs.gnome-terminal 37 | gedit 38 | remmina # rdp/vnc client 39 | alacritty 40 | wezterm 41 | firefox 42 | ]; 43 | 44 | networking.hostName = "vicki"; 45 | 46 | system.stateVersion = "22.11"; 47 | } 48 | -------------------------------------------------------------------------------- /docs/generate-host-info.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | hostname=$(echo "$1" | cut -d"." -f"1") 4 | report="$hostname.md" 5 | lstopo="$hostname.lstopo.svg" 6 | echo -e "# ${hostname}\n" > "$report" 7 | echo "\`\`\`" >> "$report" 8 | if [[ "$hostname" == sakura || "$hostname" == hinoki || "$hostname" == momiji ]]; then 9 | # this is an ubuntu host 10 | ssh "$1" -- sudo inxi -F -a -i --slots -xxx -c0 -Z -i -m >> "$report" 11 | elif [[ "$hostname" == sarah ]]; then 12 | # macos does not have dmidecode 13 | ssh "$1" -- nix-shell -p inxi --run \"sudo inxi -F -a -i --slots -xxx -c0 -Z -i -m\" >> "$report" 14 | ssh "$1" -- nix-shell -p hwloc --run \"sudo lstopo /tmp/$hostname.lstopo.svg\" 15 | scp "$1":/tmp/$hostname.lstopo.svg "$lstopo" 16 | ssh "$1" -- sudo rm /tmp/$hostname.lstopo.svg 17 | else 18 | ssh "$1" -- nix-shell -p \'inxi.override { withRecommends = true\; }\' --run \"sudo inxi -F -a -i --slots -xxx -c0 -Z -i -m\" >> "$report" 19 | ssh "$1" -- nix-shell -p hwloc -p dmidecode --run \"sudo lstopo /tmp/$hostname.lstopo.svg\" 20 | scp "$1":/tmp/$hostname.lstopo.svg "$lstopo" 21 | ssh "$1" -- sudo rm /tmp/$hostname.lstopo.svg 22 | fi 23 | echo "\`\`\`" >> "$report" 24 | echo "![hardware topology]($hostname.lstopo.svg)" >> "$report" 25 | echo "wrote $report" >&2 26 | -------------------------------------------------------------------------------- /modules/ls1-coffee/backup.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create backup job 3 | hosts: all 4 | become: yes 5 | tasks: 6 | - name: "Create systemd timer" 7 | ansible.builtin.copy: 8 | content: | 9 | [Unit] 10 | Description=Run daily at 4am 11 | 12 | [Timer] 13 | OnCalendar=*-*-* 4:00:00 14 | Persistent=true 15 | 16 | [Install] 17 | WantedBy=timers.target 18 | dest: 19 | /etc/systemd/system/postgres-backup.timer 20 | mode: '0644' 21 | owner: root 22 | group: root 23 | - name: Create systemd service 24 | copy: 25 | content: | 26 | [Unit] 27 | Description=Backup postgresql database 28 | 29 | [Service] 30 | Type=oneshot 31 | RemainAfterExit=true 32 | ExecStart=/bin/bash -c "set -eux -o pipefail; docker exec -i ls1-coffee-accounting-db-1 pg_dumpall -U drinks-api | gzip > /var/backups/postgresl-backup.sql.gz.tmp; mv /var/backups/postgresl-backup.sql.gz{.tmp,}" 33 | dest: 34 | /etc/systemd/system/postgres-backup.service 35 | mode: '0644' 36 | owner: root 37 | group: root 38 | - name: Enable backup timer unit 39 | ansible.builtin.systemd: 40 | name: postgres-backup.timer 41 | state: started 42 | enabled: true 43 | -------------------------------------------------------------------------------- /pkgs/clang-morello/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | stdenv, 3 | zlib, 4 | fetchzip, 5 | autoPatchelfHook, 6 | llvmPackages_17, 7 | }: 8 | stdenv.mkDerivation { 9 | name = "morello-clang"; 10 | src = fetchzip { 11 | url = "https://github.com/TUM-DSE/doctor-cluster-config/releases/download/morello/artifacts.zip"; 12 | sha256 = "sha256-wKPXKmCP2aNeToTa4goey1uiNcG87o/x3Vt50ukCkgg"; 13 | stripRoot = false; 14 | }; 15 | installPhase = '' 16 | tar -xf llvm-morello-linux-aarch64-clang.tar.gz 17 | mv llvm-morello-linux-aarch64/ $out 18 | ''; 19 | buildInputs = [ 20 | zlib 21 | stdenv.cc.cc 22 | ]; 23 | nativeBuildInputs = [ autoPatchelfHook ]; 24 | doInstallCheck = true; 25 | installCheckPhase = '' 26 | $out/bin/clang --version 27 | ''; 28 | passthru.isClang = true; 29 | passthru.hardeningUnsupportedFlagsByTargetPlatform = 30 | targetPlatform: 31 | ( 32 | if builtins.hasAttr "hardeningUnsupportedFlagsByTargetPlatform" llvmPackages_17.clang-unwrapped then 33 | llvmPackages_17.clang-unwrapped.hardeningUnsupportedFlagsByTargetPlatform targetPlatform 34 | else 35 | [ ] 36 | ) 37 | ++ [ "strictoverflow" ]; 38 | 39 | meta = { 40 | description = "Morello build toolchain"; 41 | platforms = [ "aarch64-linux" ]; 42 | }; 43 | } 44 | -------------------------------------------------------------------------------- /modules/sshd/default.nix: -------------------------------------------------------------------------------- 1 | { lib, config, ... }: 2 | let 3 | cert = ./certs + "/${config.networking.hostName}-cert.pub"; 4 | in 5 | { 6 | services.openssh = { 7 | enable = true; 8 | # unbind gnupg sockets if they exists 9 | extraConfig = '' 10 | ${lib.optionalString (builtins.pathExists cert) '' 11 | HostCertificate ${cert} 12 | ''} 13 | StreamLocalBindUnlink yes 14 | ''; 15 | # X11Forwarding requires setXAuthLocation which in turn brings in X11 16 | # dependencies which i am not confident with bringing onto our servers. 17 | # see 18 | # https://github.com/NixOS/nixpkgs/blob/a664d2a42c26b5bf2bb214135502d66632e8f975/nixos/modules/services/networking/ssh/sshd.nix#L562W 19 | settings.X11Forwarding = false; 20 | }; 21 | 22 | warnings = lib.optional ( 23 | !builtins.pathExists cert && config.networking.hostName != "nixos" # we dont care about nixos netboot/installer images 24 | ) "No ssh certificate found at ${toString cert}"; 25 | 26 | programs.ssh.knownHosts.ssh-ca = { 27 | certAuthority = true; 28 | hostNames = [ 29 | "*.r" 30 | "*.i" 31 | "*.thalheim.io" 32 | "*.dos.cit.tum.de" 33 | # deprecated, remove soon 34 | "*.dse.in.tum.de" 35 | ]; 36 | publicKeyFile = ./certs/ssh-ca.pub; 37 | }; 38 | } 39 | -------------------------------------------------------------------------------- /modules/amd_sev.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | { 3 | # This is used to enable AMD-SEV 4 | config = { 5 | # enable libvirtd service 6 | virtualisation.libvirtd.enable = true; 7 | 8 | # enable AMD-SME & AMD-SEV 9 | # https://cateee.net/lkddb/web-lkddb/KVM_AMD.html 10 | boot.kernelPatches = [ 11 | { 12 | name = "amd_sme-config"; 13 | patch = null; 14 | extraConfig = '' 15 | AMD_MEM_ENCRYPT y 16 | CRYPTO_DEV_CCP y 17 | CRYPTO_DEV_CCP_DD y 18 | CRYPTO_DEV_SP_PSP y 19 | KVM_AMD_SEV y 20 | ''; 21 | } 22 | ]; 23 | 24 | # enable AMD-SEV and SEV-ES 25 | # https://libvirt.org/kbase/launch_security_sev.html#enabling-sev-on-the-host 26 | # For SEV-ES the BIOS parameter the defines the Min SEV ASIDs has to be updated 27 | # For more information specifically for our Dell Poweredge 7515 28 | # see here: https://www.dell.com/support/manuals/en-us/idrac9-lifecycle-controller-v4.x-series/idrac_4.00.00.00_racadm_ar_referenceguide/bios.procsettings.cpuminsevasid-(read-or-write)?guid=guid-4bdaeaa7-d054-4fd1-bd84-0cd71d7aec1e&lang=en-us 29 | boot.kernelParams = [ 30 | #"mem_encrypt=on" 31 | "kvm_amd.sev=1" 32 | "kvm_amd.sev_es=1" 33 | #"kvm.mmio_caching=on" 34 | ]; 35 | }; 36 | } 37 | -------------------------------------------------------------------------------- /docs/gen-ssh-config.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | user=$1 4 | 5 | if [ -z "$user" ] ; then 6 | echo "Missing username" 7 | echo "Usage: $(basename $0) username" 8 | exit 1 9 | fi 10 | 11 | # Setup cleanup 12 | tempfile=/tmp/tum.html 13 | trap "rm -f $tempfile" EXIT 14 | 15 | # Print the common part of the configuration 16 | cat >&1 < "$tempfile" 38 | machines=$(egrep '^.+' -f3 | cut -d'<' -f1 | cut -d'.' -f1) 39 | 40 | # Generate entry for each machine 41 | while read m; do 42 | if [ "$m" == "README" ] ; then continue; fi 43 | 44 | cat >&1<.useDHCP`. 21 | networking.useDHCP = lib.mkDefault true; 22 | # networking.interfaces.eth0.useDHCP = lib.mkDefault true; 23 | # networking.interfaces.eth1.useDHCP = lib.mkDefault true; 24 | # networking.interfaces.eth2.useDHCP = lib.mkDefault true; 25 | # networking.interfaces.usb0.useDHCP = lib.mkDefault true; 26 | 27 | nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; 28 | } 29 | 30 | -------------------------------------------------------------------------------- /modules/packages.nix: -------------------------------------------------------------------------------- 1 | { pkgs, inputs, ... }: 2 | { 3 | # this extends the list from: 4 | # https://github.com/numtide/srvos/blob/master/server.nix#L10 5 | environment.systemPackages = 6 | with pkgs; 7 | [ 8 | socat 9 | whois 10 | 11 | jq 12 | psmisc 13 | libarchive 14 | sipcalc 15 | iperf 16 | openssl 17 | binutils 18 | file 19 | wget 20 | htop 21 | ripgrep 22 | lsof 23 | tcpdump 24 | rsync 25 | git 26 | tig 27 | lazygit 28 | python3 29 | iotop 30 | man-pages 31 | netcat 32 | mtr 33 | ( 34 | # needs luajit: https://github.com/LuaJIT/LuaJIT/pull/1267 35 | if stdenv.hostPlatform.isRiscV then 36 | vim 37 | else 38 | neovim.override { 39 | vimAlias = true; 40 | withRuby = false; 41 | } 42 | ) 43 | pciutils 44 | ethtool 45 | usbutils 46 | smartmontools # smartctl 47 | nvme-cli # nvmectl 48 | edac-utils # edac-util: memory/pci errors 49 | 50 | # cluster management 51 | inputs.hosthog 52 | 53 | ipmitool 54 | # tries to default to soft-float due to out-dated cc-rs 55 | ] 56 | ++ lib.optional (!stdenv.hostPlatform.isRiscV) bandwhich; 57 | } 58 | -------------------------------------------------------------------------------- /modules/k3s/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | pkgs, 4 | lib, 5 | ... 6 | }: 7 | { 8 | config = { 9 | services.k3s.enable = true; 10 | virtualisation.containerd.enable = true; 11 | virtualisation.containerd.settings = { 12 | version = 2; 13 | plugins."io.containerd.grpc.v1.cri" = { 14 | cni.conf_dir = "/var/lib/rancher/k3s/agent/etc/cni/net.d/"; 15 | # FIXME: upstream 16 | cni.bin_dir = "${pkgs.runCommand "cni-bin-dir" { } '' 17 | mkdir -p $out 18 | ln -sf ${pkgs.cni-plugins}/bin/* ${pkgs.cni-plugin-flannel}/bin/* $out 19 | ''}"; 20 | }; 21 | }; 22 | 23 | environment.systemPackages = [ 24 | (pkgs.writeShellScriptBin "k3s-reset-node" (builtins.readFile ./k3s-reset-node)) 25 | ]; 26 | 27 | systemd.services.k3s = { 28 | wants = [ "containerd.service" ]; 29 | after = [ "containerd.service" ]; 30 | }; 31 | 32 | systemd.services.containerd.serviceConfig = { 33 | ExecStartPre = [ 34 | "-${config.boot.zfs.package}/bin/zfs create -o mountpoint=/var/lib/containerd/io.containerd.snapshotter.v1.zfs zroot/containerd" 35 | ]; 36 | }; 37 | 38 | sops.secrets.k3s-server-token.sopsFile = ./secrets.yml; 39 | services.k3s.tokenFile = lib.mkDefault config.sops.secrets.k3s-server-token.path; 40 | }; 41 | } 42 | -------------------------------------------------------------------------------- /docs/gpu.md: -------------------------------------------------------------------------------- 1 | # GPUs 2 | 3 | ## GPU servers 4 | - jamie (AMD EPYC) 5 | - H100 (80GB, CC support) 6 | - jack (Intel Xeon) 7 | - A40 (48GB) 8 | 9 | ## Quick test 10 | ``` 11 | nvidia-smi 12 | docker run --rm -it --device=nvidia.com/gpu=all ubuntu:latest nvidia-smi 13 | ``` 14 | 15 | ## Cuda docker 16 | - Check supported cuda version (it depends on the driver version) 17 | ``` 18 | nvidia-smi # this shows driver and cuda version 19 | ``` 20 | 21 | - Run containers 22 | ``` 23 | docker pull nvidia/cuda:12.8.0-cudnn-devel-ubuntu24.04 24 | docker run -it --name dev-cuda12.8 -v /scratch/$USER/work:/work --device=nvidia.com/gpu=all nvidia/cuda:12.8.0-cudnn-devel-ubuntu24.04 25 | ``` 26 | 27 | - Test (in the container) 28 | ``` 29 | cd /work/ 30 | apt update 31 | apt install git cmake 32 | git clone https://github.com/NVIDIA/cuda-samples 33 | cd cuda-samples 34 | git checkout -b v12.8 tags/v12.8 35 | mkdir build 36 | cd build 37 | cmake .. 38 | make -j$(nproc) 39 | ./Samples/1_Utilities/deviceQuery/deviceQuery 40 | ``` 41 | 42 | - llama.cpp 43 | ``` 44 | git clone https://github.com/ggml-org/llama.cpp/ 45 | cd llama.cpp 46 | apt install curl libcurl4-openssl-dev 47 | cmake -B build -DGGML_CUDA=ON 48 | cmake --build build --config Release -j $(nproc) 49 | LLAMA_CACHE=/work/models ./build/bin/llama-cli -hf ggml-org/gemma-3-1b-it-GGUF --gpu-layers -1 50 | ``` 51 | -------------------------------------------------------------------------------- /pkgs/xilinx/sfc-driver.nix: -------------------------------------------------------------------------------- 1 | { stdenv, kernel, lib, fetchurl, dpkg }: 2 | let 3 | KERNELDIR = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"; 4 | in 5 | stdenv.mkDerivation rec { 6 | name = "sfc-drivers"; 7 | version = "5.3.11.1000"; 8 | src = fetchurl { 9 | url = "https://archive.org/download/sfc-dkms_${version}_all/sfc-dkms_${version}_all.deb"; 10 | hash = "sha256-yEDKmR4+R9qHFWB0tpY8RnGldG/+InAimPCxu0cc64M="; 11 | }; 12 | nativeBuildInputs = [ dpkg ]; 13 | unpackPhase = '' 14 | mkdir sfc-dkms 15 | dpkg-deb -x $src sfc-dkms 16 | cd sfc-dkms 17 | chmod -R +w . 18 | ''; 19 | 20 | patches = [ 21 | ./0001-port-to-linux-5.15.patch 22 | ]; 23 | 24 | buildPhase = '' 25 | export INSTALL_MOD_PATH=$out 26 | cd usr/src/sfc-${version} 27 | patchShebangs . 28 | make -C "${KERNELDIR}" M=$(pwd)/drivers/bus -j$NIX_BUILD_CORES 29 | make -C "${KERNELDIR}" M=$(pwd)/drivers/net/ethernet/sfc -j$NIX_BUILD_CORES 30 | ''; 31 | makeFlags = [ ]; 32 | 33 | installPhase = '' 34 | make -C "${KERNELDIR}" -j$NIX_BUILD_CORES M=$(pwd)/drivers/bus modules_install 35 | make -C "${KERNELDIR}" -j$NIX_BUILD_CORES M=$(pwd)/drivers/net/ethernet/sfc modules_install 36 | ''; 37 | 38 | meta = with lib; { 39 | description = "SFC kernel drivers"; 40 | platforms = platforms.linux; 41 | }; 42 | } 43 | -------------------------------------------------------------------------------- /modules/monitoring/prometheus/nginx.nix: -------------------------------------------------------------------------------- 1 | let 2 | proxy = upstream: '' 3 | proxy_pass http://@${upstream}/; 4 | proxy_set_header Host $host; 5 | proxy_set_header X-Real-IP $remote_addr; 6 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 7 | proxy_set_header X-Forwarded-Host $host:443; 8 | proxy_set_header X-Forwarded-Server $host; 9 | proxy_set_header X-Forwarded-Port 443; 10 | proxy_set_header X-Forwarded-Proto $scheme; 11 | ''; 12 | in 13 | { 14 | security.acme.defaults.email = "joerg.letsencrypt@thalheim.io"; 15 | security.acme.acceptTerms = true; 16 | 17 | services.nginx = { 18 | commonHttpConfig = '' 19 | add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always; 20 | ''; 21 | 22 | upstreams = { 23 | "@prometheus".extraConfig = "server localhost:9090;"; 24 | "@alertmanager".extraConfig = "server localhost:9093;"; 25 | }; 26 | 27 | virtualHosts."prometheus.dse.in.tum.de" = { 28 | forceSSL = true; 29 | enableACME = true; 30 | locations."/".extraConfig = proxy "prometheus"; 31 | }; 32 | 33 | virtualHosts."alertmanager.dse.in.tum.de" = { 34 | forceSSL = true; 35 | enableACME = true; 36 | locations."/".extraConfig = proxy "alertmanager"; 37 | }; 38 | }; 39 | } 40 | -------------------------------------------------------------------------------- /pkgs/intel-fpgas/cable-drivers/default.nix: -------------------------------------------------------------------------------- 1 | { stdenv, pkgs, ... }: 2 | # sources: 3 | # - https://www.intel.com/content/www/us/en/docs/programmable/683719/current/installing-the-driver-on-linux-systems.html 4 | # - https://wiki.trenz-electronic.de/display/PD/Arrow+USB+Programmer 5 | stdenv.mkDerivation { 6 | name = "intel-cable-driver"; 7 | src = ./.; 8 | installPhase = '' 9 | mkdir -p $out/lib/udev/rules.d/ 10 | cp -v *.rules $out/lib/udev/rules.d/ 11 | 12 | cat >> $out/lib/udev/rules.d/51-usbblaster.rules << 'EOF' 13 | # Arrow USB Programmer, used by Napatech F2070X IPU 14 | SUBSYSTEM=="usb",\ 15 | ENV{DEVTYPE}=="usb_device",\ 16 | ATTR{idVendor}=="0403",\ 17 | ATTR{idProduct}=="6010",\ 18 | MODE="0666",\ 19 | NAME="bus/usb/$env{BUSNUM}/$env{DEVNUM}",\ 20 | RUN+="${pkgs.coreutils}/bin/chmod 0666 %c" 21 | # Interface number zero is a JTAG 22 | SUBSYSTEM=="usb",\ 23 | ATTRS{idVendor}=="0403",\ 24 | ATTRS{idProduct}=="6010",\ 25 | ATTR{interface}=="Arrow USB Blaster*",\ 26 | ATTR{bInterfaceNumber}=="00",\ 27 | RUN="${pkgs.bash}/bin/bash -c 'echo $kernel > /sys/bus/usb/drivers/ftdi_sio/unbind'" 28 | EOF 29 | 30 | # This is a false-positive in the udev nixos build script but we fix it 31 | # anyway. 32 | sed -i -e 's!/sbin/udevcontrol!udevcontrol!' $out/lib/udev/rules.d/*.rules 33 | ''; 34 | } 35 | -------------------------------------------------------------------------------- /pkgs/llvm-morello-purecap/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | stdenv, 3 | zlib, 4 | fetchurl, 5 | autoPatchelfHook, 6 | llvmPackages_17, 7 | }: 8 | stdenv.mkDerivation { 9 | name = "llvm-morello-purecap"; 10 | src = fetchurl { 11 | url = "https://git.morello-project.org/morello/llvm-project-releases/-/archive/morello/linux-aarch64-release-1.9/llvm-project-releases-morello-linux-aarch64-release-1.9.tar.gz"; 12 | sha256 = "sha256-lcmWWi7HsPZ6Ohy3jDCFzvN758PzyttAu/Q1D11PQ1k="; 13 | downloadToTemp = true; 14 | }; 15 | 16 | installPhase = '' 17 | cp -r ./ $out/ 18 | ''; 19 | 20 | buildInputs = [ 21 | zlib 22 | stdenv.cc.cc 23 | ]; 24 | nativeBuildInputs = [ autoPatchelfHook ]; 25 | doInstallCheck = true; 26 | installCheckPhase = '' 27 | $out/bin/clang --version 28 | $out/bin/ld.lld --version 29 | ''; 30 | passthru.isClang = true; 31 | passthru.hardeningUnsupportedFlagsByTargetPlatform = 32 | targetPlatform: 33 | ( 34 | if builtins.hasAttr "hardeningUnsupportedFlagsByTargetPlatform" llvmPackages_17.clang-unwrapped then 35 | llvmPackages_17.clang-unwrapped.hardeningUnsupportedFlagsByTargetPlatform targetPlatform 36 | else 37 | [ ] 38 | ) 39 | ++ [ "strictoverflow" ]; 40 | 41 | meta = { 42 | description = "Morello build toolchain"; 43 | platforms = [ "aarch64-linux" ]; 44 | }; 45 | } 46 | -------------------------------------------------------------------------------- /terraform/github-permissions/sys-prog-tutors.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | sys-prog-tutors = toset([]) 3 | 4 | sys-prog-upstreams = toset([ 5 | "anti-cheat", 6 | "task1-syscalls-tum-test-student", 7 | "task2-fileio-tum-test-student", # main, rust solution 8 | "task2-fileio-rgouicem", # c solution 9 | "task3-processes-tum-test-student", 10 | "task4-concurrency-tum-test-student", 11 | "task5-memory-tum-test-student", 12 | "task6-sockets-tum-test-student", 13 | "task7-performance-tum-test-student", 14 | "task8-container-tum-test-student", 15 | ]) 16 | } 17 | 18 | resource "github_team" "sys_prog_tutors_team" { 19 | provider = github.ls1-courses 20 | name = "sys-prog-tutors" 21 | description = "Tutors of the sys-prog course, improving it and helping students" 22 | privacy = "closed" 23 | } 24 | 25 | resource "github_team_membership" "sys_prog_tutors_membership" { 26 | provider = github.ls1-courses 27 | team_id = github_team.sys_prog_tutors_team.id 28 | for_each = local.sys-prog-tutors 29 | username = each.value 30 | role = "member" 31 | } 32 | 33 | # broken just now? 34 | #resource "github_team_repository" "ls1_courses" { 35 | # provider = github.ls1-courses 36 | # team_id = github_team.sys_prog_tutors_team.id 37 | # for_each = local.sys-prog-upstreams 38 | # repository = each.value 39 | # permission = "push" 40 | #} 41 | -------------------------------------------------------------------------------- /modules/jumphost/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | lib, 4 | pkgs, 5 | ... 6 | }: 7 | { 8 | # defined in astrid's secrets 9 | sops.secrets.deploy-ssh-key = { }; 10 | 11 | programs.ssh.knownHosts."login.dos.cit.tum.de" = { 12 | hostNames = [ "login.dos.cit.tum.de" ]; 13 | publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOdlUylM9WIFfIYZDK8rjVYQzX+RYwIlLgsEh4j0pNx6"; 14 | }; 15 | 16 | systemd.services.update-authorized-keys = 17 | let 18 | sshKeysUnfiltered = builtins.concatLists ( 19 | lib.mapAttrsToList (_: user: user.openssh.authorizedKeys.keys) config.users.users 20 | ); 21 | sshKeys = (import ../lawful-access/util.nix { inherit config lib; }).filter sshKeysUnfiltered; 22 | authorizedKeys = pkgs.writeText "authorized-keys" (builtins.concatStringsSep "\n" sshKeys); 23 | in 24 | { 25 | description = "Update authorized keys on login.dos.cit.tum.de"; 26 | wantedBy = [ "multi-user.target" ]; 27 | script = '' 28 | ${pkgs.openssh}/bin/ssh -v -i $CREDENTIALS_DIRECTORY/deploy deploy@login.dos.cit.tum.de < ${authorizedKeys} 29 | ''; 30 | serviceConfig = { 31 | Type = "oneshot"; 32 | DynamicUser = true; 33 | User = "deploy"; 34 | LoadCredential = "deploy:${config.sops.secrets.deploy-ssh-key.path}"; 35 | RemainAfterExit = "yes"; 36 | }; 37 | }; 38 | } 39 | -------------------------------------------------------------------------------- /modules/nvidia-jetson-passthru/patches/0002-NOP_PREDEFINED_DTB_MEMORY.patch: -------------------------------------------------------------------------------- 1 | From 87a9908309aa53c725cbc13a8a06354d71e26df7 Mon Sep 17 00:00:00 2001 2 | From: Juan Pablo Ruiz 3 | Date: Tue, 12 Nov 2024 20:29:17 +0000 4 | Subject: [PATCH 2/4] NOP_PREDEFINED_DTB_MEMORY 5 | 6 | Signed-off-by: Juan Pablo Ruiz 7 | --- 8 | hw/arm/boot.c | 7 ++++++- 9 | 1 file changed, 6 insertions(+), 1 deletion(-) 10 | 11 | diff --git a/hw/arm/boot.c b/hw/arm/boot.c 12 | index 5301d8d318..4806fc73cd 100644 13 | --- a/hw/arm/boot.c 14 | +++ b/hw/arm/boot.c 15 | @@ -41,6 +41,10 @@ 16 | 17 | #define BOOTLOADER_MAX_SIZE (4 * KiB) 18 | 19 | +/* Put in zero if you do not want that Qemu removes the 20 | + * memory configuraiton on the device tree */ 21 | +#define NOP_PREDEFINED_DTB_MEMORY 0 22 | + 23 | AddressSpace *arm_boot_address_space(ARMCPU *cpu, 24 | const struct arm_boot_info *info) 25 | { 26 | @@ -579,7 +583,8 @@ int arm_load_dtb(hwaddr addr, const struct arm_boot_info *binfo, 27 | goto fail; 28 | } 29 | while (node_path[n]) { 30 | - if (g_str_has_prefix(node_path[n], "/memory")) { 31 | + if (NOP_PREDEFINED_DTB_MEMORY && 32 | + g_str_has_prefix(node_path[n], "/memory")) { 33 | qemu_fdt_nop_node(fdt, node_path[n]); 34 | } 35 | n++; 36 | -- 37 | 2.34.1 38 | 39 | -------------------------------------------------------------------------------- /modules/apple-silicon-support/packages/uboot-asahi/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | fetchFromGitHub, 4 | buildUBoot, 5 | m1n1, 6 | }: 7 | 8 | (buildUBoot rec { 9 | src = fetchFromGitHub { 10 | # tracking: https://pagure.io/fedora-asahi/uboot-tools/commits/main 11 | owner = "AsahiLinux"; 12 | repo = "u-boot"; 13 | rev = "asahi-v2024.10-1"; 14 | hash = "sha256-gtXt+BglBdEKW7j3U2x2QeKGeDH1FdmAMPXk+ntkROo="; 15 | }; 16 | version = "2024.10-1-asahi"; 17 | 18 | defconfig = "apple_m1_defconfig"; 19 | extraMeta.platforms = [ "aarch64-linux" ]; 20 | filesToInstall = [ 21 | "u-boot-nodtb.bin.gz" 22 | "m1n1-u-boot.bin" 23 | ]; 24 | extraConfig = '' 25 | CONFIG_IDENT_STRING=" ${version}" 26 | CONFIG_VIDEO_FONT_4X6=n 27 | CONFIG_VIDEO_FONT_8X16=n 28 | CONFIG_VIDEO_FONT_SUN12X22=n 29 | CONFIG_VIDEO_FONT_16X32=y 30 | CONFIG_CMD_BOOTMENU=y 31 | ''; 32 | }).overrideAttrs 33 | (o: { 34 | # nixos's downstream patches are not applicable 35 | patches = [ 36 | ]; 37 | 38 | # DTC= flag somehow breaks DTC compilation so we remove it 39 | makeFlags = builtins.filter (s: (!(lib.strings.hasPrefix "DTC=" s))) o.makeFlags; 40 | 41 | preInstall = '' 42 | # compress so that m1n1 knows U-Boot's size and can find things after it 43 | gzip -n u-boot-nodtb.bin 44 | cat ${m1n1}/build/m1n1.bin arch/arm/dts/t[68]*.dtb u-boot-nodtb.bin.gz > m1n1-u-boot.bin 45 | ''; 46 | }) 47 | -------------------------------------------------------------------------------- /hosts/tegan.nix: -------------------------------------------------------------------------------- 1 | # This machine was installed using the NixOS installer on an sdcard as described here: 2 | # https://github.com/NixOS/nixos-hardware/tree/master/milkv/pioneer 3 | # The machine uses the bootloader from the original installer sdcard image and needs it for booting. 4 | # After installation we moved the /boot/extlinux.conf on the sdcard so that linux boot will no longer try to boot from it and uses extlinux configuration from the NVME instead. 5 | # The NVME also still contains an EFI boot parition, but that one is no longer used for booting. 6 | { pkgs, lib, ... }: 7 | { 8 | imports = [ 9 | ../modules/nfs/client.nix 10 | ]; 11 | 12 | boot.loader = { 13 | grub.enable = lib.mkDefault false; 14 | generic-extlinux-compatible.enable = lib.mkDefault true; 15 | }; 16 | 17 | boot.kernelParams = [ "isolcpus=56-63" ]; 18 | 19 | networking.hostName = "tegan"; 20 | 21 | system.stateVersion = "24.05"; 22 | 23 | environment.systemPackages = [ pkgs.tio ]; 24 | 25 | disko.devices.disk.main = { 26 | device = "/dev/disk/by-id/nvme-uuid.d03c809b-833e-1c48-a652-06cd6b722f1a"; 27 | type = "disk"; 28 | content = { 29 | type = "gpt"; 30 | partitions = { 31 | root = { 32 | size = "100%"; 33 | content = { 34 | type = "filesystem"; 35 | format = "ext4"; 36 | mountpoint = "/"; 37 | }; 38 | }; 39 | }; 40 | }; 41 | }; 42 | } 43 | -------------------------------------------------------------------------------- /modules/borgbackup-repos/default.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | { 3 | fileSystems."/mnt/backup" = { 4 | device = "nasil1.in.tum.de:/srv/il1/share_il1/Project_DSE_NixOS_Backup"; 5 | fsType = "nfs4"; 6 | options = [ 7 | "vers=3" 8 | "noatime" 9 | "nodiratime" 10 | "nofail" 11 | ]; 12 | }; 13 | 14 | systemd.services.borgbackup-repo-nfs-share.enable = false; 15 | systemd.services.borgbackup-repo-nfs-home.enable = false; 16 | 17 | services.borgbackup.repos = { 18 | nfs-home = { 19 | user = "il1dsenixosbk"; 20 | group = "il1dsenixosbk"; 21 | path = "/mnt/backup/nfs-home"; 22 | authorizedKeys = [ (builtins.readFile ./nfs-home-borgbackup.pub) ]; 23 | }; 24 | 25 | nfs-share = { 26 | user = "il1dsenixosbk"; 27 | group = "il1dsenixosbk"; 28 | path = "/mnt/backup/nfs-share"; 29 | authorizedKeys = [ (builtins.readFile ./nfs-share-borgbackup.pub) ]; 30 | }; 31 | }; 32 | 33 | systemd.services = { 34 | borgbackup-repo-eve.serviceConfig.User = "il1dsenixosbk"; 35 | borgbackup-repo-nfs.serviceConfig.User = "il1dsenixosbk"; 36 | }; 37 | 38 | # the backup storage only supports a single uid. 39 | users.users.il1dsenixosbk = { 40 | isSystemUser = true; 41 | uid = 27741; 42 | group = "il1dsenixosbk"; 43 | openssh.authorizedKeys.keys = config.users.users.joerg.openssh.authorizedKeys.keys; 44 | }; 45 | 46 | users.groups.il1dsenixosbk.gid = 27741; 47 | } 48 | -------------------------------------------------------------------------------- /modules/users/default.nix: -------------------------------------------------------------------------------- 1 | { lib, config, ... }: 2 | { 3 | imports = [ 4 | # people working at our chair 5 | ./chair-members.nix 6 | # we put all bachelor/master students here 7 | ./students.nix 8 | # when we need to give external reviewers access for paper evaluation 9 | ./reviewers.nix 10 | # devices that just connect and do port forwarding to allow for remote access 11 | ./devices.nix 12 | # admins also have access to the monitoring / backup infrastructure 13 | ./admins.nix 14 | 15 | ./extra-user-options.nix 16 | ]; 17 | 18 | config = { 19 | # only used by jasper atm 20 | programs.fish.enable = true; 21 | 22 | services.userborn.enable = true; 23 | 24 | systemd.tmpfiles.rules = builtins.map (n: "R /home/${n} - - - - -") config.users.deletedUsers; 25 | 26 | # we cannot use this since we no longer have the database 27 | programs.command-not-found.enable = false; 28 | 29 | assertions = lib.flatten ( 30 | lib.mapAttrsToList (name: user: { 31 | assertion = 32 | user.isSystemUser 33 | || lib.all ( 34 | group: group != "student" || group != "staff" || group != "admin" || group != "reviewer" 35 | ) user.extraGroups; 36 | message = '' 37 | User ${name} is not in the student, staff, reviewer or admin group. 38 | Please add them to the correct group. 39 | ''; 40 | }) config.users.users 41 | ); 42 | }; 43 | } 44 | -------------------------------------------------------------------------------- /docs/doctor-vms.md: -------------------------------------------------------------------------------- 1 | # doctor-VMs 2 | 3 | We can host VMs. See `VMs` in (doctor-vms.nix)[/modules/doctor-VMs.nix]. 4 | 5 | Assuming VM name `qemu1`: 6 | 7 | - Fully exposed in our VPN at qemu1.dos.cit.tum.de 8 | - System service: `systemctl status doctor-vm-qemu1` 9 | - Script to start manually: `doctor-vm-qemu1` 10 | - Disk images specified in `doctor-VMs.nix` 11 | 12 | Example to prepare Ubuntu image: 13 | 14 | ```bash 15 | # dont place qemu images in /home (nfs) but on /scratch! 16 | cd /scratch/doctor-VMs 17 | # download qemu image 18 | sudo curl -O https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64-disk-kvm.img 19 | # qcow2 is more space efficient 20 | sudo qemu-img convert -O qcow2 jammy-server-cloudimg-amd64-disk-kvm.img new.qcow2 21 | sudo qemu-img resize new.qcow2 +50G 22 | # prepare cloud-init config for first ubuntu start: 23 | cloud-localds user-data.img user-data 24 | ``` 25 | 26 | Insecure example for `./user-data`: 27 | 28 | ``` 29 | #cloud-config 30 | # default username: ubuntu 31 | password: ubuntu 32 | chpasswd: { expire: False } 33 | ssh_pwauth: True 34 | ``` 35 | 36 | # Notes for doing the same with containers: 37 | 38 | - `docker run --mac-address=*` 39 | - but docker really does not want to use bridges managed by the host OS 40 | - ubuntu lxc images https://us.lxd.images.canonical.com/ 41 | - use host bridge with lxc container (lxc.net.0.{type, link, hwaddr}): https://wiki.archlinux.org/title/Linux_Containers#Host_network_configuration 42 | -------------------------------------------------------------------------------- /docs/inventory_numbers.md: -------------------------------------------------------------------------------- 1 | # Inventory numbers for the different servers 2 | 3 | ## In server room -01.01.038: 4 | 5 | ### Adelaide 6 | Server: TUM 770037965 0 7 | 8 | ### Adric (switch) 9 | Server: TUM 770042551 0 10 | 11 | ### Amy 12 | Server: TUM 720039828 0 13 | 14 | ### Astrid 15 | Missing an ID 16 | 17 | ### Bill (retired) 18 | Server: TUM 770035808 19 | 20 | ### Christina 21 | Server: TUM 770037963 0 22 | 23 | ### Clara 24 | Server: TUM 720039827 1 25 | 26 | ### Dan 27 | Missing an ID 28 | 29 | ### Graham 30 | Server: TUM 770036515 0 31 | 32 | ### Ian 33 | Missing an ID 34 | 35 | ### Irene 36 | Server: TUM 770042858 0 37 | 38 | ### Jack 39 | Server: TUM 770038030 0 40 | 41 | ### Jackson 42 | Missing an ID 43 | 44 | ### Jamie 45 | Missing an ID 46 | 47 | ### Kinoki 48 | Server: TUM 77003605 0 49 | 50 | ### Momiji 51 | Server: TUM 770038814 0 52 | 53 | ### Nardole (retired) 54 | Server: TUM 770035807 55 | 56 | ### Mickey 57 | Missing an ID 58 | 59 | ### River 60 | Server: TUM 770037962 0 61 | 62 | ### Rose 63 | Server: TUM 720039827 0 64 | 65 | ### Ryan 66 | Server: TUM 770036516 0 67 | 68 | ### Sakura 69 | Server: TUM 770035794 70 | 71 | ### Vislor 72 | Server: TUM 770041256 0 73 | 74 | ### Wilfred 75 | Server: TUM 770037964 0 76 | 77 | ### Yasmin 78 | Server: TUM 770036267 0 79 | 80 | ### Xavier 81 | Server: TUM 770042758 82 | 83 | ## In the hardware lab 01.07.033A 84 | 85 | ### Ace 86 | 87 | ### Donna 88 | 89 | ### Ruby 90 | 91 | ### Tegan 92 | 93 | 94 | -------------------------------------------------------------------------------- /hosts/amy.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ../modules/ipmi-supermicro.nix 4 | ../modules/hardware/supermicro-AS-4124GS.nix 5 | ../modules/disko-zfs.nix 6 | ../modules/nfs/client.nix 7 | 8 | ../modules/xilinx.nix 9 | ../modules/xrdp.nix 10 | 11 | ../modules/amd_sev_snp.nix 12 | # ../modules/vfio/iommu-amd.nix 13 | ../modules/dpdk.nix 14 | # ../modules/zokelmannvms.nix # ZFS pool import fails currently 15 | ]; 16 | 17 | networking.hostName = "amy"; 18 | 19 | # Configuration for zokelmannvms module (when enabled) 20 | # services.zokelmannvms.partitionUuid = "ced04b7c-f718-4997-8306-c33fb44a04e2"; 21 | 22 | # for some reason the disk naming/usage of /dev/nvme{0,1}n1 is 23 | # inconsistent on this server compared to others. Lets now be 24 | # super explicit, in case this is due to inconsistent device 25 | # naming by kernels. 26 | disko.rootDisk = "/dev/disk/by-id/nvme-SAMSUNG_MZQL21T9HCJR-00A07_S64GNA0T724989"; 27 | 28 | simd.arch = "znver3"; 29 | system.stateVersion = "22.11"; 30 | 31 | boot.hugepages1GB.number = 0; 32 | # boot.hugepages2MB.number = 0; 33 | boot.hugepages2MB.number = 34 | let 35 | gb = 1500; 36 | in 37 | gb * 1024 / 2; 38 | 39 | networking.doctor-bridge.enable = true; 40 | 41 | # manually added to load xilinx from 42 | fileSystems."/share" = { 43 | device = "nfs:/export/share"; 44 | fsType = "nfs4"; 45 | options = [ 46 | "nofail" 47 | "ro" 48 | "timeo=14" 49 | ]; 50 | }; 51 | } 52 | -------------------------------------------------------------------------------- /modules/nvidia-jetson-passthru/patches/0003-Print-irqs.patch: -------------------------------------------------------------------------------- 1 | From 5160c034a3a772f36131a3f13953911f1aa0a0a7 Mon Sep 17 00:00:00 2001 2 | From: Juan Pablo Ruiz 3 | Date: Tue, 12 Nov 2024 21:31:11 +0000 4 | Subject: [PATCH 3/4] Print irqs 5 | 6 | Signed-off-by: Juan Pablo Ruiz 7 | --- 8 | hw/vfio/platform.c | 14 ++++++++++++++ 9 | 1 file changed, 14 insertions(+) 10 | 11 | diff --git a/hw/vfio/platform.c b/hw/vfio/platform.c 12 | index a85c199c76..76b2f0acb9 100644 13 | --- a/hw/vfio/platform.c 14 | +++ b/hw/vfio/platform.c 15 | @@ -364,6 +364,14 @@ static int vfio_set_resample_eventfd(VFIOINTp *intp) 16 | return 0; 17 | } 18 | 19 | +struct IRQState_t { 20 | + Object parent_obj; 21 | + 22 | + qemu_irq_handler handler; 23 | + void *opaque; 24 | + int n; 25 | +}; 26 | + 27 | /** 28 | * vfio_start_irqfd_injection - starts the virtual IRQ injection using 29 | * irqfd 30 | @@ -385,6 +393,12 @@ static void vfio_start_irqfd_injection(SysBusDevice *sbdev, qemu_irq irq) 31 | 32 | QLIST_FOREACH(intp, &vdev->intp_list, next) { 33 | if (intp->qemuirq == irq) { 34 | + // Print the virtual IRQ assgined to each device 35 | + if(intp->qemuirq){ 36 | + struct IRQState_t *v1; 37 | + v1 = (struct IRQState_t*)intp->qemuirq; 38 | + info_report("QEMU IRQ No: 0x%X, dec: %d, pin: %d", v1->n, v1->n, intp->pin); 39 | + } 40 | break; 41 | } 42 | } 43 | -- 44 | 2.34.1 45 | 46 | -------------------------------------------------------------------------------- /modules/nvidia-orin-agx.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: { 2 | imports = [ 3 | ../modules/podman.nix 4 | ]; 5 | 6 | # tpm-tis does not exists; 7 | boot.initrd.systemd.tpm2.enable = false; 8 | 9 | boot.initrd.systemd.emergencyAccess = "$6$ezQIHzACzYp4zwHi$IAsJI6zHUXYuhv0NVlk5CiRj1B8DT/yGzjSFev2ZjovvSHkY4/YJ2/c9gnJvc7T7nF/0jt9icihJXpAuvsciS."; 10 | boot.initrd.availableKernelModules = [ "nvme" "usbhid" "usb_storage" "sdhci_tegra" ]; 11 | 12 | hardware.nvidia-jetpack.enable = true; 13 | hardware.nvidia-jetpack.som = "orin-agx"; 14 | hardware.nvidia-jetpack.carrierBoard = "devkit"; 15 | 16 | services.xserver.displayManager.lightdm.enable = true; 17 | 18 | # x11 requires modesetting to be disabled 19 | hardware.nvidia-jetpack.modesetting.enable = false; 20 | 21 | # This is how to start a container to mount nvidia gpu into the container. However the listed pytorch module seems to be not compatible with the host cuda driver. 22 | # $ sudo podman run -ti --rm --device=nvidia.com/gpu=all --net=host -e DISPLAY=$DISPLAY -v /tmp/.X11-unix/:/tmp/.X11-unix nvcr.io/nvidia/l4t-pytorch:r35.1.0-pth1.11-py3 23 | virtualisation.podman.enableNvidia = true; 24 | 25 | environment.systemPackages = [ 26 | # > nvidia-ctk cdi list 27 | # nvidia.com/gpu=0 28 | # nvidia.com/gpu=all 29 | 30 | config.hardware.nvidia-jetpack.devicePkgs.nvidia-ctk 31 | ]; 32 | 33 | # overrides latest-zfs kernel with kernel also set in modules/apple-silicon-support/modules/kernel/default.nix 34 | boot.kernelPackages = lib.mkForce config.hardware.nvidia-jetpack.devicePkgs.kernelPackages; 35 | } 36 | -------------------------------------------------------------------------------- /pkgs/kernels/linux-uintr.nix: -------------------------------------------------------------------------------- 1 | { pkgs, lib, fetchFromGitHub, buildLinux, modDirVersionArg ? null, ... }@args: 2 | buildLinux (args // rec { 3 | version = "6.0"; 4 | modDirVersion = "6.0.0"; 5 | # modDirVersion = "6.6.56"; 6 | 7 | # src = pkgs.linuxPackages_6_6.kernel.src; 8 | /*src = fetchFromGitHub { 9 | owner = "Meandres"; 10 | repo = "linux"; 11 | rev = "7748b27fd6fb75621d7ff5e7ff5ec359f5a96613"; 12 | sha256 = "sha256-dWiGPhRoYtesaun+umDd9OPg6vD2pV3quQv5vZQaJrQ="; 13 | };*/ 14 | 15 | /*src = fetchFromGitHub { 16 | owner = "intel"; 17 | repo = "uintr-linux-kernel"; 18 | rev = "9a56ee83edfc42c8df41f6983096e8ab1a890ecd"; 19 | sha256 = "sha256-C6QlavVWd3W84mjTRy1rdGX2Li5mk3jt3/y2ZO7JM1o="; 20 | };*/ 21 | 22 | src = fetchFromGitHub { 23 | owner = "yhtzd"; 24 | repo = "uintr-linux-kernel"; 25 | rev = "52cbe519c39cf035b981f07f8c653a58cbdadac8"; 26 | sha256 = "sha256-acfaUQELGip6PQ+PWjJLp1Jl99lv+uHbQSKk6dJoYZ8="; 27 | }; 28 | 29 | kernelPatches = [{ 30 | name = "uintr-config"; 31 | patch = null; #./uintr.patch; 32 | extraConfig = '' 33 | X86_X2APIC y 34 | X86_MCE y 35 | KVM y 36 | KVM_INTEL y 37 | X86_USER_INTERRUPTS y 38 | X86_UINTR_BLOCKING n 39 | ''; 40 | # maybe enable X86_UINTR_BLOCKING later on 41 | }]; #++ pkgs.linuxPackages_6_6.kernel.kernelPatches; 42 | extraMeta.branch = version; 43 | ignoreConfigErrors = false; 44 | } // (args.argsOverride or { })) 45 | -------------------------------------------------------------------------------- /modules/apple-silicon-support/packages/mesa-asahi-edge/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | fetchFromGitLab, 4 | mesa, 5 | }: 6 | 7 | (mesa.override { 8 | galliumDrivers = [ 9 | "softpipe" 10 | "llvmpipe" 11 | "asahi" 12 | ]; 13 | vulkanDrivers = [ 14 | "swrast" 15 | "asahi" 16 | ]; 17 | }).overrideAttrs 18 | (oldAttrs: { 19 | version = "25.0.0-asahi"; 20 | src = fetchFromGitLab { 21 | # tracking: https://pagure.io/fedora-asahi/mesa/commits/asahi 22 | domain = "gitlab.freedesktop.org"; 23 | owner = "asahi"; 24 | repo = "mesa"; 25 | rev = "asahi-20241211"; 26 | hash = "sha256-Ny4M/tkraVLhUK5y6Wt7md1QBtqQqPDUv+aY4MpNA6Y="; 27 | }; 28 | 29 | mesonFlags = 30 | let 31 | badFlags = [ 32 | "-Dinstall-mesa-clc" 33 | "-Dopencl-spirv" 34 | "-Dgallium-nine" 35 | ]; 36 | isBadFlagList = f: builtins.map (b: lib.hasPrefix b f) badFlags; 37 | isGoodFlag = f: !(builtins.foldl' (x: y: x || y) false (isBadFlagList f)); 38 | in 39 | (builtins.filter isGoodFlag oldAttrs.mesonFlags) 40 | ++ [ 41 | # we do not build any graphics drivers these features can be enabled for 42 | "-Dgallium-va=disabled" 43 | "-Dgallium-vdpau=disabled" 44 | "-Dgallium-xa=disabled" 45 | ]; 46 | 47 | # replace patches with ones tweaked slightly to apply to this version 48 | patches = [ 49 | ./opencl.patch 50 | ]; 51 | 52 | postInstall = 53 | (oldAttrs.postInstall or "") 54 | + '' 55 | # we don't build anything to go in this output but it needs to exist 56 | touch $spirv2dxil 57 | ''; 58 | }) 59 | -------------------------------------------------------------------------------- /modules/apple-silicon-support/packages/linux-asahi/0001-fs-fcntl-accept-more-values-as-F_DUPFD_CLOEXEC-args.patch: -------------------------------------------------------------------------------- 1 | From 0fcdbacd8b06c24f5761a0cf9cb0c43cad05c19b Mon Sep 17 00:00:00 2001 2 | From: Thomas Watson 3 | Date: Mon, 26 Feb 2024 19:51:12 -0600 4 | Subject: [PATCH] fs/fcntl: accept more values as F_DUPFD_CLOEXEC args 5 | 6 | libwebrtc doesn't pass anything as the arg to this function so the 7 | minimum fd ends up as random garbage. If it's bigger than the maximum 8 | fd, which is likely, then the duplication fails, and libwebrtc breaks. 9 | 10 | The previous patch (081abc5fa701738699705a6c0a41c824df77cb37) rejects 11 | args >= 1024 (the default soft max fd) and instead subtitutes a minimum 12 | fd of 0 to allow such requests to succeed. 13 | 14 | However, gnulib's test suite can pass the following values and expects 15 | them to fail; this patch prevents those from succeeding: 16 | * -1 (hard-coded) 17 | * 1024 (`ulimit -n` value by default) 18 | * 1048576 (`ulimit -n` value in Nix build sandbox) 19 | 20 | Hopefully the garbage values libwebrtc passes do not match very often. 21 | --- 22 | fs/fcntl.c | 2 +- 23 | 1 file changed, 1 insertion(+), 1 deletion(-) 24 | 25 | diff --git a/fs/fcntl.c b/fs/fcntl.c 26 | index f18f87419445..65a6861476ec 100644 27 | --- a/fs/fcntl.c 28 | +++ b/fs/fcntl.c 29 | @@ -326,7 +326,7 @@ static long do_fcntl(int fd, unsigned int cmd, unsigned long arg, 30 | err = f_dupfd(argi, filp, 0); 31 | break; 32 | case F_DUPFD_CLOEXEC: 33 | - if (arg >= 1024) 34 | + if ((arg > 1024) && (argi != 1048576) && (argi != -1)) 35 | argi = 0; /* Lol libwebrtc */ 36 | err = f_dupfd(argi, filp, O_CLOEXEC); 37 | break; 38 | -- 39 | 2.43.0 40 | 41 | -------------------------------------------------------------------------------- /modules/swiss-knife/network.nix: -------------------------------------------------------------------------------- 1 | { lib, config, ... }: 2 | let 3 | concatAttrs = attrList: lib.fold (x: y: x // y) { } attrList; 4 | in 5 | { 6 | options = { 7 | networking.doctorwho.swissknife.macs = lib.mkOption { 8 | type = with lib.types; listOf str; 9 | description = '' 10 | Mac address of our internal 10G interface. 11 | We use these macs to rename our interfaces. 12 | ''; 13 | }; 14 | }; 15 | config = { 16 | systemd.network.links = concatAttrs ( 17 | lib.imap0 (num: mac: { 18 | "05-swissknife${toString num}".extraConfig = '' 19 | [Match] 20 | MACAddress = ${mac} 21 | Type = ether 22 | 23 | [Link] 24 | Name = swissknife${toString num} 25 | ''; 26 | }) config.networking.doctorwho.swissknife.macs 27 | ); 28 | 29 | systemd.network.networks = concatAttrs ( 30 | lib.imap0 (num: mac: { 31 | "05-swissknife${toString num}".extraConfig = '' 32 | [Match] 33 | MACAddress = ${mac} 34 | 35 | [Network] 36 | DNSSEC = no 37 | DHCP = no 38 | LLMNR = yes 39 | MulticastDNS = yes 40 | LinkLocalAddressing = yes 41 | Address = 192.168.55.${toString (num + 1)}/24 42 | Address = fd00::${toString (num + 1)}/64 43 | IPForward = yes 44 | ''; 45 | }) config.networking.doctorwho.swissknife.macs 46 | ); 47 | networking.firewall.trustedInterfaces = [ 48 | "swissknife0" 49 | "swissknife1" 50 | ]; 51 | }; 52 | # Example usage on ryan: 53 | #networking.doctorwho.swissknife.macs = [ 54 | # "e4:3d:1a:72:00:f0" 55 | # "e4:3d:1a:72:00:f1" 56 | #]; 57 | } 58 | -------------------------------------------------------------------------------- /terraform/github-permissions/chair-members.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | chair_members = toset([ 3 | "AtsushiKoshiba", # Atsushi Koshiba 4 | "bhatotia", # Pramod Bhatotia 5 | "dgiantsidi", # Dimitra Giantsidi 6 | "dimstav23", # Dimitris Stavrakakis 7 | "harshanavkis", # Harshavardhan Unnibhavi 8 | "manosgior", # Emmanouil (Manos) Giortamis 9 | "Mic92", # Jörg Thalheim 10 | "pogobanane", # Peter Okelmann 11 | "jedichen121", # Jiyang Chen 12 | "mmisono", # Masanori Misono 13 | "Sabanic-P", # Patrick Sabanic 14 | "Meandres", # Ilya Meignan--Masson 15 | "gustifix", # Felix Gust 16 | ]) 17 | internship = toset([ 18 | ]) 19 | } 20 | 21 | resource "github_membership" "TUM-DSE" { 22 | for_each = setunion(local.chair_members,local.internship) 23 | username = each.value 24 | role = "admin" 25 | provider = github.TUM-DSE 26 | } 27 | 28 | resource "github_membership" "ls1-courses" { 29 | for_each = local.chair_members 30 | username = each.value 31 | role = "admin" 32 | provider = github.ls1-courses 33 | } 34 | 35 | resource "github_membership" "ls1-cloud-lab-course" { 36 | for_each = local.chair_members 37 | username = each.value 38 | role = "admin" 39 | provider = github.ls1-cloud-lab-course 40 | } 41 | 42 | resource "github_membership" "ls1-sys-prog-course" { 43 | for_each = local.chair_members 44 | username = each.value 45 | role = "admin" 46 | provider = github.ls1-sys-prog-course 47 | } 48 | 49 | resource "github_membership" "ls1-adv-sys-prog-course" { 50 | for_each = local.chair_members 51 | username = each.value 52 | role = "admin" 53 | provider = github.ls1-adv-sys-prog-course 54 | } 55 | -------------------------------------------------------------------------------- /modules/dax.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | lib, 4 | pkgs, 5 | ... 6 | }: 7 | { 8 | options = { 9 | doctorwho.pmem.devices = lib.mkOption { 10 | description = "List of pmem devices to mount"; 11 | type = lib.types.listOf lib.types.str; 12 | default = [ "pmem0" ]; 13 | }; 14 | }; 15 | # This is used for persistent memory 16 | config = { 17 | # To create/configure pmem devices 18 | environment.systemPackages = [ (pkgs.callPackage ../pkgs/ipmctl.nix { }) ]; 19 | 20 | # enable dax option for fs 21 | boot.kernelPatches = [ 22 | { 23 | name = "daxfs-config"; 24 | patch = null; 25 | extraConfig = '' 26 | FS_DAX y 27 | ''; 28 | } 29 | ]; 30 | # Create a directory for every user on every device 31 | systemd.tmpfiles.rules = 32 | let 33 | loginUsers = lib.filterAttrs (_n: v: v.isNormalUser) config.users.users; 34 | forDevice = 35 | device: 36 | (lib.mapAttrsToList (n: _v: "d /mnt/${device}/${n} 0755 ${n} users -") loginUsers) 37 | ++ (builtins.map (n: "R /mnt/${device}/${n} - - - - -") config.users.deletedUsers); 38 | in 39 | lib.flatten (builtins.map forDevice config.doctorwho.pmem.devices); 40 | 41 | # Create a mountpoint for every pmem device. 42 | fileSystems = 43 | let 44 | devices = lib.genAttrs config.doctorwho.pmem.devices (name: name); 45 | in 46 | lib.mapAttrs' ( 47 | dev: _: 48 | lib.nameValuePair "/mnt/${dev}" { 49 | device = "/dev/${dev}"; 50 | fsType = "ext4"; 51 | autoFormat = true; 52 | options = [ 53 | "nofail" 54 | "dax" 55 | ]; 56 | } 57 | ) devices; 58 | }; 59 | } 60 | -------------------------------------------------------------------------------- /hosts/rose.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ../modules/ipmi-supermicro.nix 4 | ../modules/hardware/supermicro-AS-4124GS.nix 5 | ../modules/nfs/client.nix 6 | ../modules/disko-zfs.nix 7 | 8 | ../modules/intel-fpgas.nix 9 | ../modules/xilinx.nix 10 | ../modules/xrdp.nix 11 | 12 | ../modules/amd_sev_snp.nix 13 | #../modules/amd_sev_svsm.nix 14 | ../modules/vfio/iommu-amd.nix 15 | ../modules/dpdk.nix 16 | # ../modules/zokelmannvms.nix # ZFS pool import fails currently 17 | ]; 18 | 19 | disko.rootDisk = "/dev/disk/by-id/nvme-SAMSUNG_MZQL21T9HCJR-00A07_S64GNA0T724988"; 20 | 21 | # Configuration for zokelmannvms module (when enabled) 22 | # services.zokelmannvms.partitionUuid = "ced04b7c-f718-4997-8306-c33fb44a04e2"; 23 | 24 | boot.hugepages1GB.number = 0; 25 | # boot.hugepages2MB.number = 0; 26 | boot.hugepages2MB.number = 27 | let 28 | gb = 1500; 29 | in 30 | gb * 1024 / 2; 31 | # blacklist kernel module that conflicts with the Intel FPGA OpenCL driver 32 | boot.blacklistedKernelModules = [ "altera_cvp" ]; 33 | 34 | networking.hostName = "rose"; 35 | 36 | simd.arch = "znver3"; 37 | system.stateVersion = "22.11"; 38 | 39 | # peters benchmarks seem to trigger envfs to hang up, rendering the enire system unusable 40 | services.envfs.enable = false; 41 | 42 | # manually added to load xilinx from 43 | fileSystems."/share" = { 44 | device = "nfs:/export/share"; 45 | fsType = "nfs4"; 46 | options = [ 47 | "nofail" 48 | "ro" 49 | "timeo=14" 50 | ]; 51 | }; 52 | 53 | # Don't manage vnet interface with systemd-networkd 54 | systemd.network.networks."05-rose_vnet".extraConfig = '' 55 | [Match] 56 | Name = vnet* 57 | [Link] 58 | Unmanaged = yes 59 | ''; 60 | } 61 | -------------------------------------------------------------------------------- /hosts/graham.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: { 2 | imports = [ 3 | ../modules/xilinx.nix 4 | ../modules/xrdp.nix 5 | ../modules/hardware/poweredge7515.nix 6 | ../modules/nfs/client.nix 7 | ../modules/buildbot/worker.nix 8 | #../modules/amd_sev.nix 9 | ../modules/amd_sev_snp-6.8.nix 10 | ../modules/dpdk.nix 11 | ../modules/vfio/iommu-amd.nix 12 | ../modules/disko-zfs.nix 13 | ../modules/kata-container 14 | ]; 15 | 16 | boot.hugepages1GB.number = 0; 17 | boot.hugepages2MB.number = 18 | let 19 | gb = 300; 20 | in 21 | gb * 1024 / 2; 22 | 23 | networking.hostName = "graham"; 24 | 25 | disko.rootDisk = "/dev/disk/by-id/nvme-SAMSUNG_MZ1L23T8HBLA-00A07_S667NJ0T732147"; 26 | 27 | # In https://github.com/nix-community/srvos/pull/523 we decreased this to 15s. 28 | # However we saw sporadic watchdog events after that. Let's try 20s again. 29 | systemd.watchdog.runtimeTime = lib.mkForce "20s"; 30 | 31 | # 10GbE NICs for network benchmarks: 32 | # Broadcom BCM57416 NetXtreme-E Dual-Media 33 | # - e4:3d:1a:71:d6:b0 34 | # - e4:3d:1a:71:d6:b1 35 | 36 | # 10GbE NICs for university network 37 | # Broadcom BCM57416 NetXtreme-E Dual-Media 38 | # - 2c:ea:7f:af:57:18 39 | # - 2c:ea:7f:af:57:19 40 | # 41 | # IPMI/BMC: 42 | # - d0:8e:79:ba:02:1a 43 | 44 | simd.arch = "znver3"; 45 | 46 | system.stateVersion = "21.05"; 47 | 48 | networking.doctor-bridge.enable = true; 49 | 50 | # Only allow port forwarding so we can connect remotely 51 | services.openssh.extraConfig = '' 52 | Match User pixel8 53 | AllowTcpForwarding yes 54 | X11Forwarding no 55 | AllowAgentForwarding no 56 | PermitTunnel no 57 | PermitTTY no 58 | PasswordAuthentication no 59 | Match all # end match block 60 | ''; 61 | } 62 | -------------------------------------------------------------------------------- /docs/adric.md: -------------------------------------------------------------------------------- 1 | # Adric 32 port 100G switch 2 | 3 | - hw spec: 4 | - Broadcom N8550-32C switch 5 | - Chip: Broadcom BCM56870 Trident III 6 | - https://www.fs.com/products/107081.html 7 | - how to install: 8 | - put image onto usb 9 | - connect to switch via ethernet 10 | - make switch get ip address via dhcp 11 | - connect to switchs onie via telnet 12 | - 64:9d:99:3b:18:b4 adric 13 | - how to get our DACs working 14 | - support: turn on RS FEC 15 | - doesnt help 16 | - intel verified transciever 150eur https://www.mouser.de/ProductDetail/Intel/SPTMBP1PMCDF?qs=DRkmTr78QAS5rHwd1vRkiQ%3D%3D 17 | 18 | ### FSOS (current OS) 19 | 20 | - Serial console: run on christina `sudo picocom -b 115200 /dev/ttyUSB0` (username: admin, pw: as for ipmi) 21 | - find docs by googling `fsos fs.com somekeyword` 22 | - [Reference Guide](https://img-en.fs.com/file/user_manual/n-series-switches-fsos-cli-reference-guide.pdf), 23 | - [Configuration Guide](https://img-en.fs.com/file/user_manual/n-series-switches-fsos-configuration-guide.pdf) 24 | - [Documentation backup on archive.org](https://archive.org/details/n-series-switches-fsos-cli-reference-guide) 25 | - enable dhcp client: 26 | - config vlan 1000 interface 100g 1/0/1 port ip address dhcp enable 27 | - dump config: `show startup-config` (see `sops hosts/adric.cfg.sops`) 28 | 29 | ### sonic OS 30 | 31 | - sonic OS material: 32 | - sonic user guide: https://github.com/sonic-net/SONiC/blob/master/doc/SONiC-User-Manual.md 33 | - sonic cli guide: https://github.com/sonic-net/sonic-utilities/blob/master/doc/Command-Reference.md 34 | - relevant commands: `show` and its counterpart `sudo config` 35 | - use `/etc/config_db.json` with `sudo config reload` and `config save` to persist changes (manual)[https://github.com/sonic-net/SONiC/blob/master/doc/SONiC-User-Manual.md#3321-modify-config_dbjson] 36 | -------------------------------------------------------------------------------- /modules/nix-daemon.nix: -------------------------------------------------------------------------------- 1 | { lib, config, pkgs, self, ... }: 2 | 3 | let 4 | gcc-system-features = 5 | arch: 6 | lib.optionals (arch != null) ( 7 | [ "gccarch-${arch}" ] ++ map (x: "gccarch-${x}") lib.systems.architectures.inferiors.${arch} 8 | ); 9 | in 10 | { 11 | options = { 12 | simd.arch = lib.mkOption { 13 | type = with lib.types; nullOr str; 14 | default = null; 15 | description = '' 16 | Microarchitecture string for nixpkgs.hostPlatform.gcc.march and to generate system-features. 17 | Can be determined with: gcc -march=native -Q --help=target | grep march 18 | ''; 19 | }; 20 | }; 21 | 22 | imports = [ ./builder.nix ]; 23 | 24 | config = { 25 | nix = { 26 | package = lib.mkIf (!pkgs.stdenv.hostPlatform.isRiscV) 27 | self.inputs.nix-1.packages.${pkgs.stdenv.hostPlatform.system}.nix; 28 | gc.automatic = true; 29 | gc.dates = "03:15"; 30 | gc.options = "--delete-older-than 14d"; 31 | 32 | # https://github.com/NixOS/nix/issues/719 33 | 34 | settings = { 35 | keep-outputs = true; 36 | keep-derivations = true; 37 | # in zfs we trust 38 | fsync-metadata = lib.boolToString ( 39 | !config.boot.isContainer or config.fileSystems."/".fsType != "zfs" 40 | ); 41 | substituters = [ 42 | "https://nix-community.cachix.org" 43 | "https://tum-dse.cachix.org" 44 | ]; 45 | system-features = [ 46 | "benchmark" 47 | "big-parallel" 48 | "kvm" 49 | "nixos-test" 50 | ] ++ gcc-system-features config.simd.arch; 51 | trusted-public-keys = [ 52 | "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" 53 | "tum-dse.cachix.org-1:v67rK18oLwgO0Z4b69l30SrV1yRtqxKpiHodG4YxhNM=" 54 | ]; 55 | }; 56 | }; 57 | }; 58 | } 59 | -------------------------------------------------------------------------------- /terraform/github-permissions/adv-sys-prog-tutors.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | adv-sys-prog-tutors = toset([ 3 | "julianpritzi", # Julian Pritzi 4 | "taugoust", # Theofilos Augoustis 5 | "Simon04090", # Simon Kammermeier 6 | "FreakyPenguin", # Antoine Kaufmann 7 | ]) 8 | 9 | adv-sys-prog-upstreams = toset([ 10 | "anti-cheat", 11 | "adv-sys-prog-0-container", 12 | "adv-sys-prog-0-container-solution", 13 | "adv-sys-prog-1-unikernel", 14 | "adv-sys-prog-1-unikernel-solution", 15 | "adv-sys-prog-2-kvm", 16 | "adv-sys-prog-2-kvm-solution", 17 | "adv-sys-prog-4-fuzzing", 18 | "adv-sys-prog-4-fuzzing-solution", 19 | "adv-sys-prog-3-secure-vm", 20 | "adv-sys-prog-3-secure-vm-solution", 21 | "adv-sys-prog-5-simbrick", 22 | "adv-sys-prog-5-simbrick-solution", 23 | ]) 24 | } 25 | 26 | resource "github_team" "adv_sys_prog_tutors_team" { 27 | provider = github.ls1-courses 28 | name = "adv-sys-prog-tutors" 29 | description = "Tutors of the adv-sys-prog course, improving it and helping students" 30 | privacy = "closed" 31 | } 32 | 33 | resource "github_team_membership" "adv_sys_prog_tutors_membership" { 34 | provider = github.ls1-courses 35 | team_id = github_team.adv_sys_prog_tutors_team.id 36 | for_each = local.adv-sys-prog-tutors 37 | username = each.value 38 | role = "member" 39 | } 40 | 41 | resource "github_team_repository" "adv_sys_prog_team_repositories" { 42 | provider = github.ls1-courses 43 | team_id = github_team.adv_sys_prog_tutors_team.id 44 | for_each = local.adv-sys-prog-upstreams 45 | repository = each.value 46 | permission = "push" 47 | } 48 | 49 | resource "github_membership" "adv_sys_prog_tutors_ls1-adv-sys-prog-course" { 50 | for_each = local.adv-sys-prog-tutors 51 | username = each.value 52 | role = "admin" 53 | provider = github.ls1-adv-sys-prog-course 54 | } 55 | --------------------------------------------------------------------------------