firewall rules

commit working state
attempt making pytorch work
2026-03-16 16:07:32 +01:00 · 2026-02-28 16:35:41 +01:00 · 2026-02-28 16:34:56 +01:00 · 2026-02-28 16:34:38 +01:00 · 2026-02-28 16:34:11 +01:00 · 2026-02-28 16:33:52 +01:00
5 changed files with 117 additions and 5 deletions
--- a/modules/nixos/desktop-environment/default.nix
+++ b/modules/nixos/desktop-environment/default.nix
@@ -48,11 +48,37 @@ in {
        enable = true;
      };
      services.desktopManager.gnome.enable = true;
+      services.gnome.gnome-remote-desktop.enable = true;
+      systemd.services.gnome-remote-desktop = { 
+        wantedBy = [ "graphical.target" ]; # for starting the unit automatically at boot
+      };
+      services.displayManager.autoLogin.enable = false;
+      networking.firewall.allowedTCPPorts = [ 
+        3389 
+        3390 
+      ];
      environment.systemPackages = with pkgs; [
        gnome-tweaks
        gnome-software
        gnomeExtensions.pop-shell
        gnome-remote-desktop
+        glib-networking # Required gnome-remote-desktop dependency
+      ];
+      systemd.user.services.gnome-remote-desktop.environment = {
+        VK_ICD_FILENAMES = "/dev/null";
+        LIBGL_ALWAYS_SOFTWARE = "1";
+      };
+
+      systemd.services.gnome-remote-desktop.environment = {
+        VK_ICD_FILENAMES = "/dev/null";
+        LIBGL_ALWAYS_SOFTWARE = "1";
+      };
+      environment.sessionVariables.XDG_DATA_DIRS = lib.mkAfter [
+        "${pkgs.gnome-remote-desktop}/share"
+      ];
+      environment.pathsToLink = [
+        "/share/gsettings-schemas"
+        "/share"
      ];
    })

--- a/systems/x86_64-linux/drivebystation-nix/configuration.nix
+++ b/systems/x86_64-linux/drivebystation-nix/configuration.nix
@@ -47,10 +47,10 @@

  services = {
    # Enable Gnome Session
-    displayManager.gdm.enable = false;
+    displayManager.gdm.enable = true;
    displayManager.sddm.enable = false;
-    # displayManager.sddm.wayland.enable = true;
-    displayManager.cosmic-greeter.enable = true;
+    displayManager.sddm.wayland.enable = false;
+    displayManager.cosmic-greeter.enable = false;
    displayManager.defaultSession = "gnome";
    
    xserver = {
@@ -171,13 +171,15 @@
  virtualisation.libvirtd = {
    enable = true;
    qemu = {
-      package = pkgs.qemu_kvm;
+      package = pkgs.qemu_full;
      runAsRoot = true;
      swtpm.enable = true;
+      vhostUserPackages = [ pkgs.virtiofsd ];
    };
  };


+
  systemd.tmpfiles.rules = [ "L+ /var/lib/qemu/firmware - - - - ${pkgs.qemu}/share/qemu/firmware" ];
  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
@@ -196,11 +198,40 @@
  networking.firewall.allowedTCPPorts = [
    24800 #Synergy
    53317 #localsend
+    3390 #rdp
+    9090
+    8000
  ];
  networking.firewall.allowedUDPPorts = [
    24800 #Synergy
    53317 #localsend
+    3390 #rdp
+    9090
+    8000
  ];
+  networking.firewall.trustedInterfaces = [ "virbr0" ];
+  networking.nat = {
+    enable = true;
+    internalInterfaces = [ "virbr0" ];
+    externalInterface = "enp75s0";
+    extraCommands = ''
+      # MASQUERADE forwarded traffic to VM so it knows how to route back
+      iptables -t nat -A nixos-nat-post -o virbr0 -j MASQUERADE
+    '';
+    forwardPorts = [
+      {
+        sourcePort = 9090;
+        proto = "tcp";
+        destination = "192.168.122.113:9090";
+      }
+      {
+        sourcePort = 9090;
+        proto = "udp";
+        destination = "192.168.122.113:9090";
+      }
+    ];
+  };
+
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;

--- a/systems/x86_64-linux/drivebystation-nix/hardware/graphics/intel.nix
+++ b/systems/x86_64-linux/drivebystation-nix/hardware/graphics/intel.nix
@@ -26,7 +26,7 @@
    "mitigations=off"              # Disable CPU mitigations for better performance
    "module_blacklist=nouveau,nvidia,nvidia_drm,nvidia_modeset,nvidia_uvm"
  ];
-
+  services.switcherooControl.enable = true;
  environment.variables.VK_ICD_FILENAMES = "/run/opengl-driver/share/vulkan/icd.d/intel_icd.x86_64.json";
  hardware.intel-gpu-tools.enable = true;
  hardware.graphics = {
@@ -38,6 +38,7 @@
      vpl-gpu-rt             # oneVPL runtime
      intel-vaapi-driver     # fallback
      intel-compute-runtime # OpenCL/Level Zero
+      level-zero            # Level Zero API for compute
    ];
  };

@@ -66,6 +67,11 @@
    # DXVK optimizations
    DXVK_HUD = "compiler";  # Monitor shader compilation
    # DXVK_ASYNC = "1";     # Enable if you want async shader compilation (may cause issues)
+    
+    # Intel IPEX / PyTorch settings
+    ZE_ENABLE_ALT_DRIVERS = "libze_intel_gpu.so.1";  # Enable Intel GPU driver for Level Zero
+    SYCL_CACHE_PERSISTENT = "1";                      # Enable persistent SYCL cache
+    SYCL_PI_LEVEL_ZERO_USE_IMMEDIATE_COMMANDLISTS = "1";  # Performance optimization
  };


@@ -103,4 +109,15 @@
  ## User Access
  ############################
  users.users.andreas.extraGroups = [ "video" "render" ];
+  
+  ############################
+  ## System Packages for AI/ML
+  ############################
+  environment.systemPackages = with pkgs; [
+    intel-compute-runtime
+    level-zero
+    # For checking GPU compute capabilities
+    clinfo
+    vulkan-tools
+  ];
 }
--- a/systems/x86_64-linux/drivebystation-nix/hardware/graphics/passthrough_nvidia.nix
+++ b/systems/x86_64-linux/drivebystation-nix/hardware/graphics/passthrough_nvidia.nix
@@ -0,0 +1,37 @@
+{ config, lib, system, pkgs, ... }:
+{
+  boot.kernelModules = [
+    "vfio"
+    "vfio-pci"
+    "vfio_iommu_type1"
+  ];
+  boot.kernelParams = [
+    "amd_iommu=on"
+    "iommu=pt"
+  ];
+  # Make sure vfio is available inside initrd
+  boot.initrd.availableKernelModules = [
+    "vfio_pci"
+  ];
+  # Bind by IDs (cleaner via modprobe instead of kernel param)
+  boot.extraModprobeConfig = ''
+    options vfio-pci ids=10de:1b81,10de:10f0
+  '';
+  boot.initrd.preDeviceCommands = ''
+    modprobe vfio-pci
+  '';
+  # # EARLY and deterministic binding
+  # boot.initrd.preDeviceCommands = ''
+  #   echo 0000:05:00.0 > /sys/bus/pci/drivers/vfio-pci/bind
+  #   echo 0000:05:00.1 > /sys/bus/pci/drivers/vfio-pci/bind
+  # '';
+  environment.systemPackages = with pkgs; [
+    pciutils
+    virtiofsd
+    config.virtualisation.libvirtd.qemu.package
+    looking-glass-client
+    virt-manager
+    libguestfs-with-appliance
+  ];
+  users.extraUsers.andreas.extraGroups = [ "libvirtd" ];
+}
--- a/systems/x86_64-linux/drivebystation-nix/hardware/hardware-configuration.nix
+++ b/systems/x86_64-linux/drivebystation-nix/hardware/hardware-configuration.nix
@@ -8,6 +8,7 @@
    [ 
      (modulesPath + "/installer/scan/not-detected.nix")
      ./graphics/intel.nix
+      ./graphics/passthrough_nvidia.nix
      # ./graphics/intel_i915.nix
      # ./graphics/nvidia.nix
      ./acer-monitor-edid.nix
Author	SHA1	Message	Date
Andreas Schaafsma	164ed80931	firewall rules	2026-03-16 16:07:32 +01:00
Andreas Schaafsma	4a9a71bad1	commit working state	2026-02-28 16:35:41 +01:00
Andreas Schaafsma	b9da82b956	attempt making pytorch work	2026-02-28 16:34:56 +01:00
Andreas Schaafsma	bb596a794e	attempt making pytorch work	2026-02-28 16:34:38 +01:00
Andreas Schaafsma	476cab8c9d	forward 9090 to vm	2026-02-28 16:34:11 +01:00
Andreas Schaafsma	d57aeb9ef3	working passthrough support	2026-02-28 16:33:52 +01:00
Andreas Schaafsma	aaba57ee2f	add nv gpu passthrough vm setup	2026-02-26 02:47:09 +01:00