Lots of changes to the directories organisation, more work needed.

2026-05-15 10:02:29 +02:00
parent 73adb395c0
commit 24f62ec057
63 changed files with 1193 additions and 1412 deletions
@@ -0,0 +1,31 @@
+{ config, deviceType, ... }:
+
+{
+  config = mkMerge [
+    ({
+      boot = {
+        plymouth.enable = true;
+        # Enable "Silent boot"
+        consoleLogLevel = 3;
+        initrd.verbose = false;
+        loader.timeout = 1;
+      };
+    })
+
+    ( mkIf (deviceType == "computer" || deviceType == "tv") {
+    # Bootloader options
+      boot = {
+        initrd.systemd.enable = true;
+        loader.systemd-boot.enable = true;
+        loader.efi.canTouchEfiVariables = true;
+        kernelParams = [
+          "quiet"
+          "udev.log_level=3"
+          "systemd.show_status=auto"
+          "pcie_aspm=force"
+          "consoleblank=60"
+        ];
+      };
+    })
+  ];
+}
@@ -4,6 +4,8 @@
  imports = [
    # To test
    ./disks/default.nix
+    ./boot-params.nix
    ./cpu.nix
+    ./graphics.nix
  ];
 }
@@ -0,0 +1,53 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.numbus.hardware;
+in
+
+{
+  options.numbus.hardware = {
+    nvidia = {
+      enable = mkEnableOption "Wether to install the NVIDIA driver. Required for better performance with NVIDIA graphics cards."
+    }
+  }
+
+  config = mkMerge [
+    ({
+      # Enable OpenGL
+      hardware.graphics = {
+        enable = true;
+      };
+    })
+
+    ( mkIf (cfg.nvidia.enable == true) {
+      # Load nvidia driver for Xorg and Wayland
+      services.xserver.videoDrivers = [ "nvidia" ];
+
+      hardware.nvidia = {
+        # Modesetting is required.
+        modesetting.enable = true;
+        # Nvidia power management. Experimental, and can cause sleep/suspend to fail.
+        # Enable this if you have graphical corruption issues or application crashes after waking
+        # up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead 
+        # of just the bare essentials.
+        powerManagement.enable = false;
+
+        # Fine-grained power management. Turns off GPU when not in use.
+        # Experimental and only works on modern Nvidia GPUs (Turing or newer).
+        powerManagement.finegrained = false;
+
+        # Use the NVidia open source kernel module (not to be confused with the
+        # independent third-party "nouveau" open source driver).
+        # Support is limited to the Turing and later architectures. Full list of 
+        # supported GPUs is at: 
+        # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus 
+        # Only available from driver 515.43.04+
+        open = false;
+
+        nvidiaSettings = true;
+        # Optionally, you may need to select the appropriate driver version for your specific GPU.
+        package = config.boot.kernelPackages.nvidiaPackages.stable;
+      };
+    })
+  ];
+}
@@ -0,0 +1,111 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.numbus.hardware.pcie-coral;
+
+  gasket-driver = { stdenv, lib, fetchFromGitHub, kernel }: stdenv.mkDerivation rec {
+    pname = "gasket";
+    version = "1.0-18";
+
+    src = fetchFromGitHub {
+      owner = "google";
+      repo = "gasket-driver";
+      rev = "97aeba584efd18983850c36dcf7384b0185284b3";
+      sha256 = "pJwrrI7jVKFts4+bl2xmPIAD01VKFta2SRuElerQnTo=";
+    };
+
+    makeFlags = [
+      "-C"
+      "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+      "M=$(PWD)"
+    ];
+    buildFlags = [ "modules" ];
+
+    installFlags = [ "INSTALL_MOD_PATH=${placeholder "out"}" ];
+    installTargets = [ "modules_install" ];
+
+    sourceRoot = "source/src";
+    hardeningDisable = [ "pic" "format" ];
+    nativeBuildInputs = kernel.moduleBuildDependencies;
+
+    meta = with lib; {
+      description = "The Coral Gasket Driver allows usage of the Coral EdgeTPU on Linux systems.";
+      homepage = "https://github.com/google/gasket-driver";
+      license = licenses.gpl2;
+      maintainers = [ maintainers.kylehendricks ];
+      platforms = platforms.linux;
+    };
+  };
+
+  libedgetpu-pkg = { stdenv, lib, fetchFromGitHub, libusb1, abseil-cpp, flatbuffers, xxd }:
+    let
+      flatbuffers_1_12 = flatbuffers.overrideAttrs (oldAttrs: rec {
+        version = "1.12.0";
+        NIX_CFLAGS_COMPILE = "-Wno-error=class-memaccess -Wno-error=maybe-uninitialized";
+        cmakeFlags = (oldAttrs.cmakeFlags or []) ++ ["-DFLATBUFFERS_BUILD_SHAREDLIB=ON"];
+        NIX_CXXSTDLIB_COMPILE = "-std=c++17";
+        configureFlags = (oldAttrs.configureFlags or []) ++ ["--enable-shared"];
+        src = fetchFromGitHub {
+          owner = "google";
+          repo = "flatbuffers";
+          rev = "v${version}";
+          sha256 = "sha256-L1B5Y/c897Jg9fGwT2J3+vaXsZ+lfXnskp8Gto1p/Tg=";
+        };
+      });
+
+    in stdenv.mkDerivation rec {
+      pname = "libedgetpu";
+      version = "grouper";
+
+      src = fetchFromGitHub {
+        owner = "google-coral";
+        repo = pname;
+        rev = "release-${version}";
+        sha256 = "sha256-73hwItimf88Iqnb40lk4ul/PzmCNIfdt6Afi+xjNiBE=";
+      };
+
+      makeFlags = ["-f" "makefile_build/Makefile" "libedgetpu" ];
+
+      buildInputs = [
+        libusb1
+        abseil-cpp
+        flatbuffers_1_12
+      ];
+
+      nativeBuildInputs = [
+        xxd
+      ];
+
+      NIX_CXXSTDLIB_COMPILE = "-std=c++17";
+
+      TFROOT = "${fetchFromGitHub {
+        owner = "tensorflow";
+        repo = "tensorflow";
+        rev = "v2.7.4";
+        sha256 = "sha256-liDbUAdaVllB0b74aBeqNxkYNu/zPy7k3CevzRF5dk0=";
+      }}";
+
+      enableParallelBuilding = false;
+
+      installPhase = ''
+        mkdir -p $out/lib
+        cp out/direct/k8/libedgetpu.so.1.0 $out/lib
+        ln -s $out/lib/libedgetpu.so.1.0 $out/lib/libedgetpu.so.1
+        mkdir -p $out/lib/udev/rules.d
+        cp debian/edgetpu-accelerator.rules $out/lib/udev/rules.d/99-edgetpu-accelerator.rules
+      '';
+    };
+
+  gasket = config.boot.kernelPackages.callPackage gasket-driver {};
+  libedgetpu = pkgs.callPackage libedgetpu-pkg {};
+in
+
+{
+  options.numbus.hardware.pcie-coral = lib.mkEnableOption "PCIe Coral TPU support";
+
+  config = lib.mkIf cfg.enable {
+    services.udev.packages = [ "libedgetpu" ];
+    users.groups.plugdev = {};
+    boot.extraModulePackages = [ "gasket" ];
+  };
+}
@@ -0,0 +1,89 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.numbus-server.services.clamav;
+  clamav_notifier = pkgs.writeScript "clamav-notify.sh" ''
+    #!${pkgs.bash}/bin/bash
+
+    # Check if triggered by Real-time event (file exists)
+    if [ -f /var/lib/clamav/virus_event.env ]; then
+      source /var/lib/clamav/virus_event.env
+      rm /var/lib/clamav/virus_event.env
+    fi
+
+    ADMIN_EMAIL="${config.numbus-server.mail.adminAddress}"
+    USER_EMAIL="${config.numbus-server.mail.userAddress}"
+    OWNER_NAME="${config.numbus-server.owner}"
+
+    if [ -n "$CLAM_VIRUSEVENT_VIRUSNAME" ]; then
+      # --- Real-time / VirusEvent Mode ---
+      SUBJECT="Numbus Server Alert: Virus Detected (Real-time)"
+      
+      # Retrieve logs from clamav-daemon
+      LOGS=$(journalctl -u clamav-daemon.service -n 50 --no-pager | grep "FOUND")
+
+      TECH_BODY="
+      ClamAV Real-time Alert:
+      Server owner: $OWNER_NAME
+      
+      Virus detected: $CLAM_VIRUSEVENT_VIRUSNAME
+      File: $CLAM_VIRUSEVENT_FILENAME
+      
+      Logs:
+      $LOGS
+      
+      Action taken: Access blocked (OnAccessPrevention).
+      Please investigate manually.
+      "
+      
+      FRIENDLY_BODY="Cher/Chère $OWNER_NAME,
+
+      L'antivirus de votre serveur a détecté et bloqué une menace en temps réel.
+      Fichier : $CLAM_VIRUSEVENT_FILENAME
+      
+      Votre administrateur a été notifié.
+      "
+    else
+      # --- Scheduled Scan Summary Mode ---
+      SUBJECT="Numbus Server Alert: Virus Detected during Scheduled Scan"
+      
+      # Retrieve logs (clamdscan prints FOUND when a virus is detected)
+      LOGS=$(journalctl -u clamav-periodic-scan.service -n 100 --no-pager | grep "FOUND")
+      
+      TECH_BODY="
+      ClamAV Scan Alert:
+      Server owner: $OWNER_NAME
+
+      Viruses detected:
+      $LOGS
+
+      Action taken: Detection only.
+      Please investigate manually.
+      "
+      
+      FRIENDLY_BODY="Cher/Chère $OWNER_NAME,
+
+      L'antivirus de votre serveur a détecté une menace potentielle lors de l'analyse périodique.
+      Votre administrateur a été notifié avec les détails techniques.
+      Nous vous conseillons d'être prudent avec vos fichiers récents.
+      "
+    fi
+
+    printf "Subject: [ADMIN] %s\n\n%s" "$SUBJECT" "$TECH_BODY" | /run/wrappers/bin/sendmail -t "$ADMIN_EMAIL"
+    printf "Subject: [Alerte] Menace détectée sur votre serveur Numbus\n\n%s\n\nMerci de votre confiance,\nL'équipe de support,\nNumbus-Server." "$FRIENDLY_BODY" | /run/wrappers/bin/sendmail -t "$USER_EMAIL"
+  '';
+in
+
+{ 
+  config = mkIf cfg.enable {
+    systemd.services.clamav-virus-notify = {
+      description = "Email notification for ClamAV virus detection";
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = "${clamav_notifier}";
+      };
+    };
+  };
+}
@@ -0,0 +1,55 @@
+{ config, pkgs, ... }:
+
+let
+  systemd_notifier = pkgs.writeScript "systemd-email-notify.sh" ''
+    #!${pkgs.bash}/bin/bash
+    
+    # The failing service name is passed as the first argument
+    UNIT=$1
+    
+    # 1. Send Technical Email to Admin
+    ADMIN_EMAIL="${config.numbus-server.mail.adminAddress}"
+    SUBJECT="Numbus Server Alert: Service $UNIT Failed"
+    
+    # Retrieve recent logs for context
+    LOGS=$(journalctl -u "$UNIT" -n 20 --no-pager)
+    
+    TECH_BODY="
+    Systemd Service Failure Alert:
+    Server owner: ${config.numbus-server.owner}
+    Service: $UNIT
+    
+    Recent Logs:
+    $LOGS
+    "
+    printf "Subject: [ADMIN] $SUBJECT\n\n$TECH_BODY" | /run/wrappers/bin/sendmail -t "$ADMIN_EMAIL"
+
+    # 2. Send Friendly Email to Owner
+    USER_EMAIL="${config.numbus-server.mail.userAddress}"
+    OWNER_NAME="${config.numbus-server.owner}"
+    
+    FRIENDLY_BODY="Cher/Chère $OWNER_NAME,
+
+    Votre serveur a détecté une défaillance du service $UNIT.
+    Le système a tenté de gérer l'erreur, mais une intervention peut être nécessaire.
+
+    Votre administrateur a été notifié de cet incident avec les détails techniques nécessaires.
+    Il interviendra si une action manuelle est requise.
+
+    Merci de votre confiance,
+    L'équipe de support,
+    Numbus-Server."
+    
+    printf "Subject: [Alerte] Erreur sur votre serveur Numbus\n\n$FRIENDLY_BODY" | /run/wrappers/bin/sendmail -t "$USER_EMAIL"
+  '';
+in
+{
+  systemd.services."service-failure-notify@" = {
+    description = "Email notification for failed service %i";
+    onFailure = [ ];
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${systemd_notifier} %i";
+    };
+  };
+}
@@ -0,0 +1,28 @@
+{ pkgs, ... }:
+
+let
+  cockpit-numbus = pkgs.stdenv.mkDerivation {
+    name = "cockpit-numbus";
+    src = ./cockpit-numbus;
+    installPhase = ''
+      mkdir -p $out/share/cockpit/numbus
+      cp -r * $out/share/cockpit/numbus
+    '';
+  };
+in
+
+{
+  services.cockpit = {
+    enable = true;
+    port = 9090;
+    openFirewall = false;
+    settings = {
+      WebService = {
+        AllowUnencrypted = true;
+      };
+    };
+  };
+
+  # Link the extension into the system cockpit path
+  environment.systemPackages = [ cockpit-numbus ];
+}