feat(infra): Internalize nix-lib, and make keys management simpler

fix(dgsi): Set to an existing version
feat(krz01): finish ollama integration and whisper.cpp
2024-10-09 18:58:46 +02:00 · 2024-10-09 18:57:06 +02:00 · 2024-10-09 13:59:05 +02:00 · 2024-10-09 12:51:14 +02:00 · 2024-10-09 09:33:57 +02:00 · 2024-10-09 09:33:57 +02:00
54 changed files with 1336 additions and 188 deletions
--- a/README.md
+++ b/README.md
@ -34,7 +34,7 @@ The second step is to find a name for this host, it must be unique from the othe

 ## Download the keys

-The public SSH keys of `host02` have to be saved to `keys/machines/host02.keys`, preferably only the `ssh-ed25519` one.
+The public SSH keys of `host02` have to be saved to `keys`, preferably only the `ssh-ed25519` one.

 It can be retreived with :

@ -91,11 +91,9 @@ The general metadata is declared in `meta/nodes.nix`, the main values to declare
 Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing :

 ```nix
-let
-  lib = import ../../../lib { };
-in
-
-lib.setDefault { publicKeys = lib.getNodeKeys "host02"; } [ ]
+(import ../../../keys).mkSecrets [ "host02" ] [
+  # List of secrets for host02
+]
 ```

 This will be used for future secret management.
--- a/hive.nix
+++ b/hive.nix
@ -5,7 +5,7 @@ let
  sources = builtins.mapAttrs (patch.base { pkgs = import sources'.nixos-unstable { }; })
    .applyPatches' sources';

-  lib = import (sources.nix-lib + "/src/trivial.nix");
+  nix-lib = import ./lib/nix-lib;

  patch = import ./lib/nix-patches { patchFile = ./patches; };

@ -14,15 +14,12 @@ let

  mkNode = node: {
    # Import the base configuration for each node
-    imports = builtins.map (lib.mkRel (./machines/${node})) [
-      "_configuration.nix"
-      "_hardware-configuration.nix"
-    ];
+    imports = [ ./machines/${node}/_configuration.nix ];
  };

  nixpkgs' = import ./meta/nixpkgs.nix;
  # All supported nixpkgs versions, instanciated
-  nixpkgs = lib.mapSingleFuse mkNixpkgs nixpkgs'.supported;
+  nixpkgs = nix-lib.mapSingleFuse mkNixpkgs nixpkgs'.supported;

  # Get the configured nixos version for the node,
  # defaulting to the one defined in meta/nixpkgs
@ -43,10 +40,8 @@ let
  # Function to create arguments based on the node
  #
  mkArgs = node: rec {
-    lib = import sources.nix-lib {
-      inherit (nixpkgs.${version node}) lib;
-
-      keysRoot = ./keys;
+    lib = nixpkgs.${version node}.lib // {
+      extra = nix-lib;
    };

    meta = (import ./meta) lib;
@ -57,13 +52,15 @@ in

 {
  meta = {
-    nodeNixpkgs = lib.mapSingleFuse (n: nixpkgs.${version n}) nodes;
+    nodeNixpkgs = nix-lib.mapSingleFuse (n: nixpkgs.${version n}) nodes;

    specialArgs = {
      inherit nixpkgs sources;
+
+      dgn-keys = import ./keys;
    };

-    nodeSpecialArgs = lib.mapSingleFuse mkArgs nodes;
+    nodeSpecialArgs = nix-lib.mapSingleFuse mkArgs nodes;
  };

  defaults =
@ -113,4 +110,4 @@ in
      };
    };
 }
-// (lib.mapSingleFuse mkNode nodes)
+// (nix-lib.mapSingleFuse mkNode nodes)
--- a/iso/configuration.nix
+++ b/iso/configuration.nix
@ -1,7 +1,7 @@
 { lib, pkgs, ... }:

 let
-  dgn-lib = import ../lib { };
+  dgn-keys = import ../keys;

  dgn-members = (import ../meta lib).organization.groups.root;
 in
@ -34,7 +34,5 @@ in
    openssh.enable = true;
  };

-  users.users.root.openssh.authorizedKeys.keyFiles = builtins.map (
-    m: dgn-lib.mkRel ../keys "${m}.keys"
-  ) dgn-members;
+  users.users.root.openssh.authorizedKeys.keys = dgn-keys.getKeys dgn-members;
 }
--- a/keys/catvayor.keys
+++ b/keys/catvayor.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor
--- a/keys/default.nix
+++ b/keys/default.nix
@ -0,0 +1,80 @@
+let
+  _sources = import ../npins;
+
+  meta = import ../meta (import _sources.nixpkgs { }).lib;
+
+  getAttr = flip builtins.getAttr;
+
+  inherit (import ../lib/nix-lib) flip setDefault unique;
+in
+
+rec {
+  # WARNING: When updating this list, make sure that the nodes and members are alphabetically sorted
+  #          If not, you will face an angry maintainer
+  _keys = {
+    # SSH keys of the nodes
+    bridge01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7" ];
+    compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];
+    geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ];
+    geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ];
+    krz01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4o65gWOgNrxbSd3kiQIGZUM+YD6kuZOQtblvzUGsfB" ];
+    rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ];
+    storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ];
+    vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ];
+    web01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ];
+    web02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX" ];
+
+    # SSH keys of the DGNum members
+    catvayor = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
+    ];
+    ecoppens = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ];
+    gdd = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ"
+    ];
+    jemagius = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8="
+    ];
+    luj = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
+    ];
+    mdebray = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
+    ];
+    raito = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
+    ];
+    thubrecht = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn"
+    ];
+  };
+
+  getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls);
+
+  mkSecrets =
+    nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); };
+
+  getNodeKeys' =
+    node:
+    let
+      names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
+        meta.nodes.${node}.admins ++ [ node ]
+      ) meta.nodes.${node}.adminGroups;
+    in
+    unique (getKeys names);
+
+  getNodeKeys = node: rootKeys ++ getNodeKeys' node;
+
+  # List of keys for the root group
+  rootKeys = getKeys meta.organization.groups.root;
+
+  # List of 'machine' keys
+  machineKeys = rootKeys ++ (getKeys (builtins.attrNames meta.nodes));
+}
--- a/keys/ecoppens.keys
+++ b/keys/ecoppens.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA
--- a/keys/gdd.keys
+++ b/keys/gdd.keys
@ -1,2 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ
--- a/keys/jemagius.keys
+++ b/keys/jemagius.keys
@ -1,2 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8=
--- a/keys/luj.keys
+++ b/keys/luj.keys
@ -1,2 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower
--- a/keys/machines/bridge01.keys
+++ b/keys/machines/bridge01.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7
--- a/keys/machines/compute01.keys
+++ b/keys/machines/compute01.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu
--- a/keys/machines/geo01.keys
+++ b/keys/machines/geo01.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4
--- a/keys/machines/geo02.keys
+++ b/keys/machines/geo02.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket
--- a/keys/machines/krz01.keys
+++ b/keys/machines/krz01.keys
@ -1,2 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4o65gWOgNrxbSd3kiQIGZUM+YD6kuZOQtblvzUGsfB root@krz01
-
--- a/keys/machines/rescue01.keys
+++ b/keys/machines/rescue01.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf
--- a/keys/machines/storage01.keys
+++ b/keys/machines/storage01.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ
--- a/keys/machines/vault01.keys
+++ b/keys/machines/vault01.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW
--- a/keys/machines/web01.keys
+++ b/keys/machines/web01.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5
--- a/keys/machines/web02.keys
+++ b/keys/machines/web02.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX
--- a/keys/mdebray.keys
+++ b/keys/mdebray.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris
--- a/keys/raito.keys
+++ b/keys/raito.keys
@ -1,3 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU
--- a/keys/thubrecht.keys
+++ b/keys/thubrecht.keys
@ -1,3 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn
--- a/lib/default.nix
+++ b/lib/default.nix
@ -1,33 +0,0 @@
-_:
-
-let
-  sources = import ../npins;
-
-  lib = import sources.nix-lib {
-    inherit ((import sources.nixpkgs { })) lib;
-
-    keysRoot = ../keys;
-  };
-
-  meta = import ../meta lib;
-
-  inherit (lib.extra) getAllKeys;
-in
-
-lib.extra
-// rec {
-  # Get publickeys associated to a node
-  getNodeKeys =
-    node:
-    let
-      names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
-        meta.nodes.${node}.admins ++ [ "/machines/${node}" ]
-      ) meta.nodes.${node}.adminGroups;
-    in
-    rootKeys ++ (getAllKeys names);
-
-  rootKeys = getAllKeys meta.organization.groups.root;
-
-  machineKeys =
-    rootKeys ++ (getAllKeys (builtins.map (n: "machines/${n}") (builtins.attrNames meta.nodes)));
-}
--- a/lib/nix-lib/default.nix
+++ b/lib/nix-lib/default.nix
@ -0,0 +1,197 @@
+# Copyright Tom Hubrecht, (2023)
+#
+#  Tom Hubrecht <tom@hubrecht.ovh>
+#
+#  This software is governed by the CeCILL  license under French law and
+#  abiding by the rules of distribution of free software.  You can  use,
+#  modify and/ or redistribute the software under the terms of the CeCILL
+#  license as circulated by CEA, CNRS and INRIA at the following URL
+#  "http://www.cecill.info".
+#
+#  As a counterpart to the access to the source code and  rights to copy,
+#  modify and redistribute granted by the license, users are provided only
+#  with a limited warranty  and the software's author,  the holder of the
+#  economic rights,  and the successive licensors  have only  limited
+#  liability.
+#
+#  In this respect, the user's attention is drawn to the risks associated
+#  with loading,  using,  modifying and/or developing or reproducing the
+#  software by the user in light of its specific status of free software,
+#  that may mean  that it is complicated to manipulate,  and  that  also
+#  therefore means  that it is reserved for developers  and  experienced
+#  professionals having in-depth computer knowledge. Users are therefore
+#  encouraged to load and test the software's suitability as regards their
+#  requirements in conditions enabling the security of their systems and/or
+#  data to be ensured and,  more generally, to use and operate it in the
+#  same conditions as regards security.
+#
+#  The fact that you are presently reading this means that you have had
+#  knowledge of the CeCILL license and that you accept its terms.
+
+let
+  # Reimplement optional functions
+  _optional =
+    default: b: value:
+    if b then value else default;
+in
+
+rec {
+  inherit (import ./nixpkgs.nix)
+    flip
+    hasPrefix
+    recursiveUpdate
+    splitString
+    unique
+    ;
+
+  /*
+    Fuses a list of attribute sets into a single attribute set.
+
+    Type: [attrs] -> attrs
+
+     Example:
+       x = [ { a = 1; } { b = 2; } ]
+       fuseAttrs x
+       => { a = 1; b = 2; }
+  */
+  fuseAttrs = builtins.foldl' (attrs: x: attrs // x) { };
+
+  fuseValueAttrs = attrs: fuseAttrs (builtins.attrValues attrs);
+
+  /*
+    Applies a function to `attrsList` before fusing the resulting list
+    of attribute sets.
+
+    Type: ('a -> attrs) -> ['a] -> attrs
+
+    Example:
+     x = [ "to" "ta" "ti" ]
+     f = s: { ${s} = s + s; }
+     mapFuse f x
+     => { to = "toto"; ta = "tata"; ti = "titi"; }
+  */
+  mapFuse =
+    # 'a -> attrs
+    f:
+    # ['a]
+    attrsList:
+    fuseAttrs (builtins.map f attrsList);
+
+  /*
+    Equivalent of lib.singleton but for an attribute set.
+
+    Type: str -> 'a -> attrs
+
+     Example:
+       singleAttr "a" 1
+       => { a = 1; }
+  */
+  singleAttr = name: value: { ${name} = value; };
+
+  # Enables a list of modules.
+  enableAttrs' =
+    enable:
+    mapFuse (m: {
+      ${m}.${enable} = true;
+    });
+
+  enableModules = enableAttrs' "enable";
+
+  /*
+    Create an attribute set from a list of values, mapping those
+    values through the function `f`.
+
+    Example:
+     mapSingleFuse (x: "val-${x}") [ "a" "b" ]
+     => { a = "val-a"; b = "val-b" }
+  */
+  mapSingleFuse = f: mapFuse (x: singleAttr x (f x));
+
+  /*
+    Creates a relative path as a string
+
+    Type: path -> str -> path
+
+     Example:
+       mkRel /home/test/ "file.txt"
+       => "/home/test/file.txt"
+  */
+  mkRel = path: file: path + "/${file}";
+
+  setDefault =
+    default:
+    mapFuse (name: {
+      ${name} = default;
+    });
+
+  mkBaseSecrets =
+    root:
+    mapFuse (secret: {
+      ${secret}.file = mkRel root secret;
+    });
+
+  getSecrets = dir: builtins.attrNames (import (mkRel dir "secrets.nix"));
+
+  subAttr = attrs: name: attrs.${name};
+
+  subAttrs = attrs: builtins.map (subAttr attrs);
+
+  optionalList = _optional [ ];
+
+  optionalAttrs = _optional { };
+
+  optionalString = _optional "";
+  /*
+    Same as fuseAttrs but using `lib.recursiveUpdate` to merge attribute
+    sets together.
+
+    Type: [attrs] -> attrs
+  */
+  recursiveFuse = builtins.foldl' recursiveUpdate { };
+
+  mkImport =
+    root: file:
+    let
+      path = mkRel root file;
+    in
+    path + (optionalString (!(builtins.pathExists path)) ".nix");
+
+  mkImports = root: builtins.map (mkImport root);
+
+  /*
+    Creates a confugiration by merging enabled modules,
+    services and extraConfig.
+
+    Example:
+     mkConfig {
+       enabledModules = [ "ht-defaults" ];
+       enabledServices = [ "toto" ];
+       extraConfig = { services.nginx.enable = true; };
+       root = ./.;
+     }
+     =>
+     {
+       imports = [ ./toto ];
+       ht-defaults.enable = true;
+       services.nginx.enable = true;
+     }
+  */
+  mkConfig =
+    {
+      # List of modules to enable with `enableModules`
+      enabledModules,
+      # List of services to import
+      enabledServices,
+      # Extra configuration, defaults to `{ }`
+      extraConfig ? { },
+      # Path relative to which the enabled services will be imported
+      root,
+    }:
+    recursiveFuse [
+      (enableModules enabledModules)
+
+      { imports = mkImports root ([ "_hardware-configuration" ] ++ enabledServices); }
+
+      extraConfig
+    ];
+}
--- a/lib/nix-lib/nixpkgs.nix
+++ b/lib/nix-lib/nixpkgs.nix
@ -0,0 +1,416 @@
+###
+# Collection of nixpkgs library functions, those are necessary for defining our own lib
+#
+# They have been simplified and builtins are used in some places, instead of lib shims.
+
+rec {
+  /**
+    Does the same as the update operator '//' except that attributes are
+    merged until the given predicate is verified.  The predicate should
+    accept 3 arguments which are the path to reach the attribute, a part of
+    the first attribute set and a part of the second attribute set.  When
+    the predicate is satisfied, the value of the first attribute set is
+    replaced by the value of the second attribute set.
+
+    # Inputs
+
+    `pred`
+
+    : Predicate, taking the path to the current attribute as a list of strings for attribute names, and the two values at that path from the original arguments.
+
+    `lhs`
+
+    : Left attribute set of the merge.
+
+    `rhs`
+
+    : Right attribute set of the merge.
+
+    # Type
+
+    ```
+    recursiveUpdateUntil :: ( [ String ] -> AttrSet -> AttrSet -> Bool ) -> AttrSet -> AttrSet -> AttrSet
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.attrsets.recursiveUpdateUntil` usage example
+
+    ```nix
+    recursiveUpdateUntil (path: l: r: path == ["foo"]) {
+      # first attribute set
+      foo.bar = 1;
+      foo.baz = 2;
+      bar = 3;
+    } {
+      #second attribute set
+      foo.bar = 1;
+      foo.quz = 2;
+      baz = 4;
+    }
+
+    => {
+      foo.bar = 1; # 'foo.*' from the second set
+      foo.quz = 2; #
+      bar = 3;     # 'bar' from the first set
+      baz = 4;     # 'baz' from the second set
+    }
+    ```
+
+    :::
+  */
+  recursiveUpdateUntil =
+    pred: lhs: rhs:
+    let
+      f =
+        attrPath:
+        builtins.zipAttrsWith (
+          n: values:
+          let
+            here = attrPath ++ [ n ];
+          in
+          if builtins.length values == 1 || pred here (builtins.elemAt values 1) (builtins.head values) then
+            builtins.head values
+          else
+            f here values
+        );
+    in
+    f [ ] [
+      rhs
+      lhs
+    ];
+
+  /**
+    A recursive variant of the update operator ‘//’.  The recursion
+    stops when one of the attribute values is not an attribute set,
+    in which case the right hand side value takes precedence over the
+    left hand side value.
+
+    # Inputs
+
+    `lhs`
+
+    : Left attribute set of the merge.
+
+    `rhs`
+
+    : Right attribute set of the merge.
+
+    # Type
+
+    ```
+    recursiveUpdate :: AttrSet -> AttrSet -> AttrSet
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.attrsets.recursiveUpdate` usage example
+
+    ```nix
+    recursiveUpdate {
+      boot.loader.grub.enable = true;
+      boot.loader.grub.device = "/dev/hda";
+    } {
+      boot.loader.grub.device = "";
+    }
+
+    returns: {
+      boot.loader.grub.enable = true;
+      boot.loader.grub.device = "";
+    }
+    ```
+
+    :::
+  */
+  recursiveUpdate =
+    lhs: rhs:
+    recursiveUpdateUntil (
+      _: lhs: rhs:
+      !(builtins.isAttrs lhs && builtins.isAttrs rhs)
+    ) lhs rhs;
+
+  /**
+    Determine whether a string has given prefix.
+
+    # Inputs
+
+    `pref`
+    : Prefix to check for
+
+    `str`
+    : Input string
+
+    # Type
+
+    ```
+    hasPrefix :: string -> string -> bool
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.hasPrefix` usage example
+
+    ```nix
+    hasPrefix "foo" "foobar"
+    => true
+    hasPrefix "foo" "barfoo"
+    => false
+    ```
+
+    :::
+  */
+  hasPrefix = pref: str: (builtins.substring 0 (builtins.stringLength pref) str == pref);
+
+  /**
+    Escape occurrence of the elements of `list` in `string` by
+    prefixing it with a backslash.
+
+    # Inputs
+
+    `list`
+    : 1\. Function argument
+
+    `string`
+    : 2\. Function argument
+
+    # Type
+
+    ```
+    escape :: [string] -> string -> string
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.escape` usage example
+
+    ```nix
+    escape ["(" ")"] "(foo)"
+    => "\\(foo\\)"
+    ```
+
+    :::
+  */
+  escape = list: builtins.replaceStrings list (builtins.map (c: "\\${c}") list);
+
+  /**
+    Convert a string `s` to a list of characters (i.e. singleton strings).
+    This allows you to, e.g., map a function over each character.  However,
+    note that this will likely be horribly inefficient; Nix is not a
+    general purpose programming language. Complex string manipulations
+    should, if appropriate, be done in a derivation.
+    Also note that Nix treats strings as a list of bytes and thus doesn't
+    handle unicode.
+
+    # Inputs
+
+    `s`
+    : 1\. Function argument
+
+    # Type
+
+    ```
+    stringToCharacters :: string -> [string]
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.stringToCharacters` usage example
+
+    ```nix
+    stringToCharacters ""
+    => [ ]
+    stringToCharacters "abc"
+    => [ "a" "b" "c" ]
+    stringToCharacters "🦄"
+    => [ "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" ]
+    ```
+
+    :::
+  */
+  stringToCharacters = s: builtins.genList (p: builtins.substring p 1 s) (builtins.stringLength s);
+
+  /**
+    Turn a string `s` into an exact regular expression
+
+    # Inputs
+
+    `s`
+    : 1\. Function argument
+
+    # Type
+
+    ```
+    escapeRegex :: string -> string
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.escapeRegex` usage example
+
+    ```nix
+    escapeRegex "[^a-z]*"
+    => "\\[\\^a-z]\\*"
+    ```
+
+    :::
+  */
+  escapeRegex = escape (stringToCharacters "\\[{()^$?*+|.");
+
+  /**
+    Appends string context from string like object `src` to `target`.
+
+    :::{.warning}
+    This is an implementation
+    detail of Nix and should be used carefully.
+    :::
+
+    Strings in Nix carry an invisible `context` which is a list of strings
+    representing store paths. If the string is later used in a derivation
+    attribute, the derivation will properly populate the inputDrvs and
+    inputSrcs.
+
+    # Inputs
+
+    `src`
+    : The string to take the context from. If the argument is not a string,
+      it will be implicitly converted to a string.
+
+    `target`
+    : The string to append the context to. If the argument is not a string,
+      it will be implicitly converted to a string.
+
+    # Type
+
+    ```
+    addContextFrom :: string -> string -> string
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.addContextFrom` usage example
+
+    ```nix
+    pkgs = import <nixpkgs> { };
+    addContextFrom pkgs.coreutils "bar"
+    => "bar"
+    ```
+
+    The context can be displayed using the `toString` function:
+
+    ```nix
+    nix-repl> builtins.getContext (lib.strings.addContextFrom pkgs.coreutils "bar")
+    {
+      "/nix/store/m1s1d2dk2dqqlw3j90jl3cjy2cykbdxz-coreutils-9.5.drv" = { ... };
+    }
+    ```
+
+    :::
+  */
+  addContextFrom = src: target: builtins.substring 0 0 src + target;
+
+  /**
+    Cut a string with a separator and produces a list of strings which
+    were separated by this separator.
+
+    # Inputs
+
+    `sep`
+    : 1\. Function argument
+
+    `s`
+    : 2\. Function argument
+
+    # Type
+
+    ```
+    splitString :: string -> string -> [string]
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.splitString` usage example
+
+    ```nix
+    splitString "." "foo.bar.baz"
+    => [ "foo" "bar" "baz" ]
+    splitString "/" "/usr/local/bin"
+    => [ "" "usr" "local" "bin" ]
+    ```
+
+    :::
+  */
+  splitString =
+    sep: s:
+    let
+      splits = builtins.filter builtins.isString (
+        builtins.split (escapeRegex (builtins.toString sep)) (builtins.toString s)
+      );
+    in
+    builtins.map (addContextFrom s) splits;
+
+  /**
+    Remove duplicate elements from the `list`. O(n^2) complexity.
+
+    # Inputs
+
+    `list`
+
+    : Input list
+
+    # Type
+
+    ```
+    unique :: [a] -> [a]
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.lists.unique` usage example
+
+    ```nix
+    unique [ 3 2 3 4 ]
+    => [ 3 2 4 ]
+    ```
+
+    :::
+  */
+  unique = builtins.foldl' (acc: e: if builtins.elem e acc then acc else acc ++ [ e ]) [ ];
+
+  /**
+    Flip the order of the arguments of a binary function.
+
+    # Inputs
+
+    `f`
+
+    : 1\. Function argument
+
+    `a`
+
+    : 2\. Function argument
+
+    `b`
+
+    : 3\. Function argument
+
+    # Type
+
+    ```
+    flip :: (a -> b -> c) -> (b -> a -> c)
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.trivial.flip` usage example
+
+    ```nix
+    flip concat [1] [2]
+    => [ 2 1 ]
+    ```
+
+    :::
+  */
+  flip =
+    f: a: b:
+    f b a;
+}
--- a/machines/bridge01/secrets/secrets.nix
+++ b/machines/bridge01/secrets/secrets.nix
@ -1,5 +1,3 @@
-let
-  lib = import ../../../lib { };
-in
-
-lib.setDefault { publicKeys = lib.getNodeKeys "bridge01"; } [ ]
+(import ../../../keys).mkSecrets [ "bridg01" ] [
+  # List of secrets for bridge01
+]
--- a/machines/compute01/kanidm/secrets/secrets.nix
+++ b/machines/compute01/kanidm/secrets/secrets.nix
@ -1,9 +1,4 @@
-let
-  lib = import ../../../../lib { };
-  publicKeys = lib.getNodeKeys "compute01";
-in
-
-lib.setDefault { inherit publicKeys; } [
+(import ../../../../keys).mkSecrets [ "compute01" ] [
  "kanidm-password_admin"
  "kanidm-password_idm_admin"
 ]
--- a/machines/compute01/secrets/secrets.nix
+++ b/machines/compute01/secrets/secrets.nix
@ -1,9 +1,5 @@
-let
-  lib = import ../../../lib { };
-  publicKeys = lib.getNodeKeys "compute01";
-in
-
-lib.setDefault { inherit publicKeys; } [
+(import ../../../keys).mkSecrets [ "compute01" ] [
+  # List of secrets for compute01
  "arkheon-env_file"
  "bupstash-put_key"
  "dgsi-email_host_password_file"
--- a/machines/geo01/secrets/secrets.nix
+++ b/machines/geo01/secrets/secrets.nix
@ -1,5 +1,3 @@
-let
-  lib = import ../../../lib { };
-  publicKeys = lib.getNodeKeys "geo01";
-in
-lib.setDefault { inherit publicKeys; } [ ]
+(import ../../../keys).mkSecrets [ "geo01" ] [
+  # List of secrets for geo01
+]
--- a/machines/geo02/secrets/secrets.nix
+++ b/machines/geo02/secrets/secrets.nix
@ -1,5 +1,3 @@
-let
-  lib = import ../../../lib { };
-  publicKeys = lib.getNodeKeys "geo02";
-in
-lib.setDefault { inherit publicKeys; } [ ]
+(import ../../../keys).mkSecrets [ "geo02" ] [
+  # List of secrets for geo02
+]
--- a/machines/krz01/K80-support.patch
+++ b/machines/krz01/K80-support.patch
@ -0,0 +1,179 @@
+From 2abd226ff3093c5a9e18a618fba466853e7ebaf7 Mon Sep 17 00:00:00 2001
+From: Raito Bezarius <masterancpp@gmail.com>
+Date: Tue, 8 Oct 2024 18:27:41 +0200
+Subject: [PATCH] K80 support
+
+Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
+---
+ docs/development.md     |  6 +++-
+ docs/gpu.md             |  1 +
+ gpu/amd_linux.go        |  6 +++-
+ gpu/gpu.go              | 63 ++++++++++++++++++++++++++++++++++++-----
+ scripts/build_docker.sh |  2 +-
+ scripts/build_linux.sh  |  2 +-
+ 6 files changed, 69 insertions(+), 11 deletions(-)
+
+diff --git a/docs/development.md b/docs/development.md
+index 2f7b9ecf..9da35931 100644
+--- a/docs/development.md
+++ b/docs/development.md
+@@ -51,7 +51,11 @@ Typically the build scripts will auto-detect CUDA, however, if your Linux distro
+ or installation approach uses unusual paths, you can specify the location by
+ specifying an environment variable `CUDA_LIB_DIR` to the location of the shared
+ libraries, and `CUDACXX` to the location of the nvcc compiler. You can customize
+-a set of target CUDA architectures by setting `CMAKE_CUDA_ARCHITECTURES` (e.g. "50;60;70")
+a set of target CUDA architectures by setting `CMAKE_CUDA_ARCHITECTURES` (e.g. "35;37;50;60;70")
+
+To support GPUs older than Compute Capability 5.0, you will need to use an older version of
+the Driver from [Unix Driver Archive](https://www.nvidia.com/en-us/drivers/unix/) (tested with 470) and [CUDA Toolkit Archive](https://developer.nvidia.com/cuda-toolkit-archive) (tested with cuda V11).  When you build Ollama, you will need to set two environment variable to adjust the minimum compute capability Ollama supports via `export GOFLAGS="'-ldflags=-w -s \"-X=github.com/ollama/ollama/gpu.CudaComputeMajorMin=3\" \"-X=github.com/ollama/ollama/gpu.CudaComputeMinorMin=5\"'"` and the `CMAKE_CUDA_ARCHITECTURES`.  To find the Compute Capability of your older GPU, refer to [GPU Compute Capability](https://developer.nvidia.com/cuda-gpus).
+
+ 
+ Then generate dependencies:
+ 
+diff --git a/docs/gpu.md b/docs/gpu.md
+index a6b559f0..66627611 100644
+--- a/docs/gpu.md
+++ b/docs/gpu.md
+@@ -28,6 +28,7 @@ Check your compute compatibility to see if your card is supported:
+ | 5.0                | GeForce GTX         | `GTX 750 Ti` `GTX 750` `NVS 810`                                                                            |
+ |                    | Quadro              | `K2200` `K1200` `K620` `M1200` `M520` `M5000M` `M4000M` `M3000M` `M2000M` `M1000M` `K620M` `M600M` `M500M`  |
+ 
+For building locally to support older GPUs, see [developer.md](./development.md#linux-cuda-nvidia)
+ 
+ ### GPU Selection
+ 
+diff --git a/gpu/amd_linux.go b/gpu/amd_linux.go
+index 6b08ac2e..768fb97a 100644
+--- a/gpu/amd_linux.go
+++ b/gpu/amd_linux.go
+@@ -159,7 +159,11 @@ func AMDGetGPUInfo() []GpuInfo {
+ 			return []GpuInfo{}
+ 		}
+ 
+-		if int(major) < RocmComputeMin {
+		minVer, err := strconv.Atoi(RocmComputeMajorMin)
+		if err != nil {
+			slog.Error("invalid RocmComputeMajorMin setting", "value", RocmComputeMajorMin, "error", err)
+		}
+		if int(major) < minVer {
+ 			slog.Warn(fmt.Sprintf("amdgpu too old gfx%d%x%x", major, minor, patch), "gpu", gpuID)
+ 			continue
+ 		}
+diff --git a/gpu/gpu.go b/gpu/gpu.go
+index 781e23df..60d68c33 100644
+--- a/gpu/gpu.go
+++ b/gpu/gpu.go
+@@ -16,6 +16,7 @@ import (
+ 	"os"
+ 	"path/filepath"
+ 	"runtime"
+	"strconv"
+ 	"strings"
+ 	"sync"
+ 	"unsafe"
+@@ -38,9 +39,11 @@ const (
+ var gpuMutex sync.Mutex
+ 
+ // With our current CUDA compile flags, older than 5.0 will not work properly
+-var CudaComputeMin = [2]C.int{5, 0}
+// (string values used to allow ldflags overrides at build time)
+var CudaComputeMajorMin = "5"
+var CudaComputeMinorMin = "0"
+ 
+-var RocmComputeMin = 9
+var RocmComputeMajorMin = "9"
+ 
+ // TODO find a better way to detect iGPU instead of minimum memory
+ const IGPUMemLimit = 1 * format.GibiByte // 512G is what they typically report, so anything less than 1G must be iGPU
+@@ -175,11 +178,57 @@ func GetGPUInfo() GpuInfoList {
+ 	var memInfo C.mem_info_t
+ 	resp := []GpuInfo{}
+ 
+-	// NVIDIA first
+-	for i := 0; i < gpuHandles.deviceCount; i++ {
+-		// TODO once we support CPU compilation variants of GPU libraries refine this...
+-		if cpuVariant == "" && runtime.GOARCH == "amd64" {
+-			continue
+	// Load ALL libraries
+	cHandles = initCudaHandles()
+	minMajorVer, err := strconv.Atoi(CudaComputeMajorMin)
+	if err != nil {
+		slog.Error("invalid CudaComputeMajorMin setting", "value", CudaComputeMajorMin, "error", err)
+	}
+	minMinorVer, err := strconv.Atoi(CudaComputeMinorMin)
+	if err != nil {
+		slog.Error("invalid CudaComputeMinorMin setting", "value", CudaComputeMinorMin, "error", err)
+	}
+
+	// NVIDIA
+	for i := range cHandles.deviceCount {
+		if cHandles.cudart != nil || cHandles.nvcuda != nil {
+			gpuInfo := CudaGPUInfo{
+				GpuInfo: GpuInfo{
+					Library: "cuda",
+				},
+				index: i,
+			}
+			var driverMajor int
+			var driverMinor int
+			if cHandles.cudart != nil {
+				C.cudart_bootstrap(*cHandles.cudart, C.int(i), &memInfo)
+			} else {
+				C.nvcuda_bootstrap(*cHandles.nvcuda, C.int(i), &memInfo)
+				driverMajor = int(cHandles.nvcuda.driver_major)
+				driverMinor = int(cHandles.nvcuda.driver_minor)
+			}
+			if memInfo.err != nil {
+				slog.Info("error looking up nvidia GPU memory", "error", C.GoString(memInfo.err))
+				C.free(unsafe.Pointer(memInfo.err))
+				continue
+			}
+
+			if int(memInfo.major) < minMajorVer || (int(memInfo.major) == minMajorVer && int(memInfo.minor) < minMinorVer) {
+				slog.Info(fmt.Sprintf("[%d] CUDA GPU is too old. Compute Capability detected: %d.%d", i, memInfo.major, memInfo.minor))
+				continue
+			}
+			gpuInfo.TotalMemory = uint64(memInfo.total)
+			gpuInfo.FreeMemory = uint64(memInfo.free)
+			gpuInfo.ID = C.GoString(&memInfo.gpu_id[0])
+			gpuInfo.Compute = fmt.Sprintf("%d.%d", memInfo.major, memInfo.minor)
+			gpuInfo.MinimumMemory = cudaMinimumMemory
+			gpuInfo.DependencyPath = depPath
+			gpuInfo.Name = C.GoString(&memInfo.gpu_name[0])
+			gpuInfo.DriverMajor = driverMajor
+			gpuInfo.DriverMinor = driverMinor
+
+			// TODO potentially sort on our own algorithm instead of what the underlying GPU library does...
+			cudaGPUs = append(cudaGPUs, gpuInfo)
+ 		}
+ 		gpuInfo := GpuInfo{
+ 			Library: "cuda",
+diff --git a/scripts/build_docker.sh b/scripts/build_docker.sh
+index e91c56ed..c03bc25f 100755
+--- a/scripts/build_docker.sh
+++ b/scripts/build_docker.sh
+@@ -3,7 +3,7 @@
+ set -eu
+ 
+ export VERSION=${VERSION:-$(git describe --tags --first-parent --abbrev=7 --long --dirty --always | sed -e "s/^v//g")}
+-export GOFLAGS="'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"
+export GOFLAGS=${GOFLAGS:-"'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"}
+ 
+ # We use 2 different image repositories to handle combining architecture images into multiarch manifest
+ # (The ROCm image is x86 only and is not a multiarch manifest)
+diff --git a/scripts/build_linux.sh b/scripts/build_linux.sh
+index 27c4ff1f..e7e6d0dd 100755
+--- a/scripts/build_linux.sh
+++ b/scripts/build_linux.sh
+@@ -3,7 +3,7 @@
+ set -eu
+ 
+ export VERSION=${VERSION:-$(git describe --tags --first-parent --abbrev=7 --long --dirty --always | sed -e "s/^v//g")}
+-export GOFLAGS="'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"
+export GOFLAGS=${GOFLAGS:-"'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"}
+ 
+ BUILD_ARCH=${BUILD_ARCH:-"amd64 arm64"}
+ export AMDGPU_TARGETS=${AMDGPU_TARGETS:=""}
+-- 
+2.46.0
+
--- a/machines/krz01/_configuration.nix
+++ b/machines/krz01/_configuration.nix
@ -1,4 +1,9 @@
-{ lib, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:

 lib.extra.mkConfig {
  enabledModules = [
@ -10,10 +15,14 @@ lib.extra.mkConfig {
    "microvm-router01"
    "nvidia-tesla-k80"
    "proxmox"
+    # Machine learning API machine
+    "microvm-ml01"
  ];

  extraConfig = {
-    microvm.host.enable = true;
+    microvm = {
+      host.enable = true;
+    };
    dgn-hardware = {
      useZfs = true;
      zfsPools = [
@ -24,6 +33,38 @@ lib.extra.mkConfig {

    services.netbird.enable = true;

+    # We are going to use CUDA here.
+    nixpkgs.config.cudaSupport = true;
+    hardware.graphics.enable = true;
+    environment.systemPackages = [
+      ((pkgs.openai-whisper-cpp.override { cudaPackages = pkgs.cudaPackages_11; }).overrideAttrs (old: {
+        src = pkgs.fetchFromGitHub {
+          owner = "ggerganov";
+          repo = "whisper.cpp";
+          rev = "v1.7.1";
+          hash = "sha256-EDFUVjud79ZRCzGbOh9L9NcXfN3ikvsqkVSOME9F9oo=";
+        };
+        env = {
+          WHISPER_CUBLAS = "";
+          GGML_CUDA = "1";
+        };
+        # We only need Compute Capability 3.7.
+        CUDA_ARCH_FLAGS = [ "sm_37" ];
+        # We are GPU-only anyway.
+        patches = (old.patches or [ ]) ++ [
+          ./no-weird-microarch.patch
+          ./all-nvcc-arch.patch
+        ];
+      }))
+    ];
+    services.ollama = {
+      enable = true;
+      package = pkgs.callPackage ./ollama.nix {
+        cudaPackages = pkgs.cudaPackages_11;
+        # We need to thread our nvidia x11 driver for CUDA.
+        extraLibraries = [ config.hardware.nvidia.package ];
+      };
+    };
    users.users.root.hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/";
  };

--- a/machines/krz01/all-nvcc-arch.patch
+++ b/machines/krz01/all-nvcc-arch.patch
@ -0,0 +1,26 @@
+From 2278389ef9ac9231349440aa68f9544ddc69cdc7 Mon Sep 17 00:00:00 2001
+From: Raito Bezarius <masterancpp@gmail.com>
+Date: Wed, 9 Oct 2024 13:37:08 +0200
+Subject: [PATCH] fix: sm_37 for nvcc
+
+Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index 2ccb750..70dfd9b 100644
+--- a/Makefile
+++ b/Makefile
+@@ -537,7 +537,7 @@ endif #GGML_CUDA_NVCC
+ ifdef CUDA_DOCKER_ARCH
+ 	MK_NVCCFLAGS += -Wno-deprecated-gpu-targets -arch=$(CUDA_DOCKER_ARCH)
+ else ifndef CUDA_POWER_ARCH
+-	MK_NVCCFLAGS += -arch=native
+	MK_NVCCFLAGS += -arch=sm_37
+ endif # CUDA_DOCKER_ARCH
+ 
+ ifdef GGML_CUDA_FORCE_DMMV
+-- 
+2.46.0
+
--- a/machines/krz01/disable-git.patch
+++ b/machines/krz01/disable-git.patch
@ -0,0 +1,20 @@
+diff --git c/llm/generate/gen_common.sh i/llm/generate/gen_common.sh
+index 3825c155..238a74a7 100644
+--- c/llm/generate/gen_common.sh
+++ i/llm/generate/gen_common.sh
+@@ -69,6 +69,7 @@ git_module_setup() {
+ }
+ 
+ apply_patches() {
+    return
+     # apply temporary patches until fix is upstream
+     for patch in ../patches/*.patch; do
+         git -c 'user.name=nobody' -c 'user.email=<>' -C ${LLAMACPP_DIR} am ${patch}
+@@ -133,6 +134,7 @@ install() {
+ 
+ # Keep the local tree clean after we're done with the build
+ cleanup() {
+    return
+     (cd ${LLAMACPP_DIR}/ && git checkout CMakeLists.txt)
+ 
+     if [ -n "$(ls -A ../patches/*.diff)" ]; then
--- a/machines/krz01/microvm-ml01.nix
+++ b/machines/krz01/microvm-ml01.nix
@ -0,0 +1,22 @@
+_: {
+  microvm.autostart = [ "ml01" ];
+  microvm.vms.ml01 = {
+    config = {
+      networking.hostName = "ml01";
+      microvm = {
+        hypervisor = "cloud-hypervisor";
+        vcpu = 4;
+        mem = 4096;
+        balloonMem = 2048;
+        shares = [
+          {
+            source = "/nix/store";
+            mountPoint = "/nix/.ro-store";
+            tag = "ro-store";
+            proto = "virtiofs";
+          }
+        ];
+      };
+    };
+  };
+}
--- a/machines/krz01/no-weird-microarch.patch
+++ b/machines/krz01/no-weird-microarch.patch
@ -0,0 +1,34 @@
+From 51568b61ef63ecd97867562571411082c32751d3 Mon Sep 17 00:00:00 2001
+From: Raito Bezarius <masterancpp@gmail.com>
+Date: Wed, 9 Oct 2024 13:36:51 +0200
+Subject: [PATCH] fix: avx & f16c in Makefile
+
+Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
+---
+ Makefile | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 32b7cbb..2ccb750 100644
+--- a/Makefile
+++ b/Makefile
+@@ -361,12 +361,12 @@ ifndef RISCV
+ 
+ ifeq ($(UNAME_M),$(filter $(UNAME_M),x86_64 i686 amd64))
+ 	# Use all CPU extensions that are available:
+-	MK_CFLAGS     += -march=native -mtune=native
+-	HOST_CXXFLAGS += -march=native -mtune=native
+	# MK_CFLAGS     += -march=native -mtune=native
+	# HOST_CXXFLAGS += -march=native -mtune=native
+ 
+ 	# Usage AVX-only
+-	#MK_CFLAGS   += -mfma -mf16c -mavx
+-	#MK_CXXFLAGS += -mfma -mf16c -mavx
+	MK_CFLAGS   += -mf16c -mavx
+	MK_CXXFLAGS += -mf16c -mavx
+ 
+ 	# Usage SSSE3-only (Not is SSE3!)
+ 	#MK_CFLAGS   += -mssse3
+-- 
+2.46.0
+
--- a/machines/krz01/nvidia-tesla-k80.nix
+++ b/machines/krz01/nvidia-tesla-k80.nix
@ -1,5 +1,8 @@
 { config, ... }:
 {
+  nixpkgs.config.nvidia.acceptLicense = true;
  # Tesla K80 is not supported by the latest driver.
-  hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages_legacy_470;
+  hardware.nvidia.package = config.boot.kernelPackages.nvidia_x11_legacy470;
+  # Don't ask.
+  services.xserver.videoDrivers = [ "nvidia" ];
 }
--- a/machines/krz01/ollama.nix
+++ b/machines/krz01/ollama.nix
@ -0,0 +1,243 @@
+{
+  lib,
+  buildGoModule,
+  fetchFromGitHub,
+  buildEnv,
+  linkFarm,
+  overrideCC,
+  makeWrapper,
+  stdenv,
+  addDriverRunpath,
+  nix-update-script,
+
+  cmake,
+  gcc11,
+  clblast,
+  libdrm,
+  rocmPackages,
+  cudaPackages,
+  darwin,
+  autoAddDriverRunpath,
+  extraLibraries ? [ ],
+
+  nixosTests,
+  testers,
+  ollama,
+  ollama-rocm,
+  ollama-cuda,
+
+  config,
+  # one of `[ null false "rocm" "cuda" ]`
+  acceleration ? null,
+}:
+
+assert builtins.elem acceleration [
+  null
+  false
+  "rocm"
+  "cuda"
+];
+
+let
+  pname = "ollama";
+  version = "2024-09-10-cc35";
+
+  src = fetchFromGitHub {
+    owner = "aliotard";
+    repo = "ollama";
+    rev = "34827c01f7723c7f5f9f5e392fe85f5a4a5d5fc0";
+    hash = "sha256-xFNuqcW7YWeyCyw5QLBnCHHTSMITR6LJkJT0CXZC+Y8=";
+    fetchSubmodules = true;
+  };
+
+  vendorHash = "sha256-hSxcREAujhvzHVNwnRTfhi0MKI3s8HNavER2VLz6SYk=";
+
+  validateFallback = lib.warnIf (config.rocmSupport && config.cudaSupport) (lib.concatStrings [
+    "both `nixpkgs.config.rocmSupport` and `nixpkgs.config.cudaSupport` are enabled, "
+    "but they are mutually exclusive; falling back to cpu"
+  ]) (!(config.rocmSupport && config.cudaSupport));
+  shouldEnable =
+    mode: fallback: (acceleration == mode) || (fallback && acceleration == null && validateFallback);
+
+  rocmRequested = shouldEnable "rocm" config.rocmSupport;
+  cudaRequested = shouldEnable "cuda" config.cudaSupport;
+
+  enableRocm = rocmRequested && stdenv.isLinux;
+  enableCuda = cudaRequested && stdenv.isLinux;
+
+  rocmLibs = [
+    rocmPackages.clr
+    rocmPackages.hipblas
+    rocmPackages.rocblas
+    rocmPackages.rocsolver
+    rocmPackages.rocsparse
+    rocmPackages.rocm-device-libs
+    rocmPackages.rocm-smi
+  ];
+  rocmClang = linkFarm "rocm-clang" { llvm = rocmPackages.llvm.clang; };
+  rocmPath = buildEnv {
+    name = "rocm-path";
+    paths = rocmLibs ++ [ rocmClang ];
+  };
+
+  cudaLibs = [
+    cudaPackages.cuda_cudart
+    cudaPackages.libcublas
+    cudaPackages.cuda_cccl
+  ];
+  cudaToolkit = buildEnv {
+    name = "cuda-merged";
+    paths = map lib.getLib cudaLibs ++ [
+      (lib.getOutput "static" cudaPackages.cuda_cudart)
+      (lib.getBin (cudaPackages.cuda_nvcc.__spliced.buildHost or cudaPackages.cuda_nvcc))
+    ];
+  };
+
+  metalFrameworks = with darwin.apple_sdk_11_0.frameworks; [
+    Accelerate
+    Metal
+    MetalKit
+    MetalPerformanceShaders
+  ];
+
+  wrapperOptions =
+    [
+      # ollama embeds llama-cpp binaries which actually run the ai models
+      # these llama-cpp binaries are unaffected by the ollama binary's DT_RUNPATH
+      # LD_LIBRARY_PATH is temporarily required to use the gpu
+      # until these llama-cpp binaries can have their runpath patched
+      "--suffix LD_LIBRARY_PATH : '${addDriverRunpath.driverLink}/lib'"
+      "--suffix LD_LIBRARY_PATH : '${lib.makeLibraryPath (map lib.getLib extraLibraries)}'"
+    ]
+    ++ lib.optionals enableRocm [
+      "--suffix LD_LIBRARY_PATH : '${rocmPath}/lib'"
+      "--set-default HIP_PATH '${rocmPath}'"
+    ]
+    ++ lib.optionals enableCuda [
+      "--suffix LD_LIBRARY_PATH : '${lib.makeLibraryPath (map lib.getLib cudaLibs)}'"
+    ];
+  wrapperArgs = builtins.concatStringsSep " " wrapperOptions;
+
+  goBuild =
+    if enableCuda then buildGoModule.override { stdenv = overrideCC stdenv gcc11; } else buildGoModule;
+  inherit (lib) licenses platforms maintainers;
+in
+goBuild {
+  inherit
+    pname
+    version
+    src
+    vendorHash
+    ;
+
+  env =
+    lib.optionalAttrs enableRocm {
+      ROCM_PATH = rocmPath;
+      CLBlast_DIR = "${clblast}/lib/cmake/CLBlast";
+    }
+    // lib.optionalAttrs enableCuda { CUDA_LIB_DIR = "${cudaToolkit}/lib"; }
+    // {
+      CMAKE_CUDA_ARCHITECTURES = "35;37";
+    };
+
+  nativeBuildInputs =
+    [ cmake ]
+    ++ lib.optionals enableRocm [ rocmPackages.llvm.bintools ]
+    ++ lib.optionals enableCuda [ cudaPackages.cuda_nvcc ]
+    ++ lib.optionals (enableRocm || enableCuda) [
+      makeWrapper
+      autoAddDriverRunpath
+    ]
+    ++ lib.optionals stdenv.isDarwin metalFrameworks;
+
+  buildInputs =
+    lib.optionals enableRocm (rocmLibs ++ [ libdrm ])
+    ++ lib.optionals enableCuda cudaLibs
+    ++ lib.optionals stdenv.isDarwin metalFrameworks;
+
+  patches = [
+    # disable uses of `git` in the `go generate` script
+    # ollama's build script assumes the source is a git repo, but nix removes the git directory
+    # this also disables necessary patches contained in `ollama/llm/patches/`
+    # those patches are applied in `postPatch`
+    ./disable-git.patch
+  ];
+
+  postPatch = ''
+    # replace inaccurate version number with actual release version
+    substituteInPlace version/version.go --replace-fail 0.0.0 '${version}'
+
+    # apply ollama's patches to `llama.cpp` submodule
+    for diff in llm/patches/*; do
+      patch -p1 -d llm/llama.cpp < $diff
+    done
+  '';
+
+  overrideModAttrs = _: _: {
+    # don't run llama.cpp build in the module fetch phase
+    preBuild = "";
+  };
+
+  preBuild = ''
+    # disable uses of `git`, since nix removes the git directory
+    export OLLAMA_SKIP_PATCHING=true
+    # build llama.cpp libraries for ollama
+    go generate ./...
+  '';
+
+  postFixup =
+    ''
+      # the app doesn't appear functional at the moment, so hide it
+      mv "$out/bin/app" "$out/bin/.ollama-app"
+    ''
+    + lib.optionalString (enableRocm || enableCuda) ''
+      # expose runtime libraries necessary to use the gpu
+      wrapProgram "$out/bin/ollama" ${wrapperArgs}
+    '';
+
+  ldflags = [
+    "-s"
+    "-w"
+    "-X=github.com/ollama/ollama/version.Version=${version}"
+    "-X=github.com/ollama/ollama/server.mode=release"
+    "-X=github.com/ollama/ollama/gpu.CudaComputeMajorMin=3"
+    "-X=github.com/ollama/ollama/gpu.CudaComputeMinorMin=5"
+  ];
+
+  passthru = {
+    tests =
+      {
+        inherit ollama;
+        version = testers.testVersion {
+          inherit version;
+          package = ollama;
+        };
+      }
+      // lib.optionalAttrs stdenv.isLinux {
+        inherit ollama-rocm ollama-cuda;
+        service = nixosTests.ollama;
+        service-cuda = nixosTests.ollama-cuda;
+        service-rocm = nixosTests.ollama-rocm;
+      };
+
+    updateScript = nix-update-script { };
+  };
+
+  meta = {
+    description =
+      "Get up and running with large language models locally"
+      + lib.optionalString rocmRequested ", using ROCm for AMD GPU acceleration"
+      + lib.optionalString cudaRequested ", using CUDA for NVIDIA GPU acceleration";
+    homepage = "https://github.com/ollama/ollama";
+    changelog = "https://github.com/ollama/ollama/releases/tag/v${version}";
+    license = licenses.mit;
+    platforms = if (rocmRequested || cudaRequested) then platforms.linux else platforms.unix;
+    mainProgram = "ollama";
+    maintainers = with maintainers; [
+      abysssol
+      dit7ya
+      elohmeier
+      roydubnium
+    ];
+  };
+}
--- a/machines/krz01/secrets/secrets.nix
+++ b/machines/krz01/secrets/secrets.nix
@ -1,5 +1,3 @@
-let
-  lib = import ../../../lib { };
-in
-
-lib.setDefault { publicKeys = lib.getNodeKeys "krz01"; } [ ]
+(import ../../../keys).mkSecrets [ "krz01" ] [
+  # List of secrets for krz01
+]
--- a/machines/rescue01/secrets/secrets.nix
+++ b/machines/rescue01/secrets/secrets.nix
@ -1,5 +1,4 @@
-let
-  lib = import ../../../lib { };
-  publicKeys = lib.getNodeKeys "rescue01";
-in
-lib.setDefault { inherit publicKeys; } [ "stateless-uptime-kuma-password" ]
+(import ../../../keys).mkSecrets [ "rescue01" ] [
+  # List of secrets for rescue01
+  "stateless-uptime-kuma-password"
+]
--- a/machines/storage01/secrets/secrets.nix
+++ b/machines/storage01/secrets/secrets.nix
@ -1,8 +1,5 @@
-let
-  lib = import ../../../lib { };
-  publicKeys = lib.getNodeKeys "storage01";
-in
-lib.setDefault { inherit publicKeys; } [
+(import ../../../keys).mkSecrets [ "storage01" ] [
+  # List of secrets for storage01
  "bupstash-put_key"
  "forgejo-mailer_password_file"
  "forgejo_runners-token_file"
--- a/machines/vault01/secrets/secrets.nix
+++ b/machines/vault01/secrets/secrets.nix
@ -1,8 +1,5 @@
-let
-  lib = import ../../../lib { };
-  publicKeys = lib.getNodeKeys "vault01";
-in
-lib.setDefault { inherit publicKeys; } [
+(import ../../../keys).mkSecrets [ "vault01" ] [
+  # List of secrets for vault01
  "radius-auth_token_file"
  "radius-ca_pem_file"
  "radius-cert_pem_file"
--- a/machines/web01/secrets/secrets.nix
+++ b/machines/web01/secrets/secrets.nix
@ -1,8 +1,5 @@
-let
-  lib = import ../../../lib { };
-  publicKeys = lib.getNodeKeys "web01";
-in
-lib.setDefault { inherit publicKeys; } [
+(import ../../../keys).mkSecrets [ "web01" ] [
+  # List of secrets for web01
  "acme-certs_secret"
  "bupstash-put_key"
  "matterbridge-config_file"
--- a/machines/web02/secrets/secrets.nix
+++ b/machines/web02/secrets/secrets.nix
@ -1,7 +1,5 @@
-let
-  lib = import ../../../lib { };
-in
-lib.setDefault { publicKeys = lib.getNodeKeys "web02"; } [
+(import ../../../keys).mkSecrets [ "web02" ] [
+  # List of secrets for web02
  "cas_eleves-secret_key_file"
  "kadenios-secret_key_file"
  "kadenios-email_password_file"
--- a/meta/nodes.nix
+++ b/meta/nodes.nix
@ -74,7 +74,7 @@
    site = "pav01";

    stateVersion = "24.05";
-    nixpkgs = "24.05";
+    nixpkgs = "unstable";
  };

  storage01 = {
--- a/meta/options.nix
+++ b/meta/options.nix
@ -368,10 +368,10 @@ in
          name: "A member of the external service ${name} admins was not found in the members list."
        ) org.external)

-        # Check that all members have a keyFile
+        # Check that all members have ssh keys
        (builtins.map (name: {
-          assertion = builtins.pathExists "${builtins.toString ../keys}/${name}.keys";
-          message = "No ssh keys file found for ${name}.";
+          assertion = ((import ../keys)._keys.${name} or [ ]) != [ ];
+          message = "No ssh keys found for ${name}.";
        }) members)
      ];
    };
--- a/meta/verify.nix
+++ b/meta/verify.nix
@ -5,12 +5,6 @@ let
  pkgs = import sources.nixpkgs { };

  dns = import sources."dns.nix" { inherit pkgs; };
-
-  lib = import sources.nix-lib {
-    inherit (pkgs) lib;
-
-    keysRoot = ../keys;
-  };
 in

 {
@ -29,6 +23,14 @@ in
      pkgs.writers.writeJSON "meta.json" config;

  dns = dns.util.writeZone "dgnum.eu" (
-    pkgs.lib.recursiveUpdate { SOA.serial = 0; } (import ./dns.nix { inherit dns lib; })
+    pkgs.lib.recursiveUpdate { SOA.serial = 0; } (
+      import ./dns.nix {
+        inherit dns;
+
+        lib = pkgs.lib // {
+          extra = import ../lib/nix-lib;
+        };
+      }
+    )
  );
 }
--- a/modules/dgn-access-control.nix
+++ b/modules/dgn-access-control.nix
@ -34,6 +34,7 @@
 {
  config,
  lib,
+  dgn-keys,
  meta,
  nodeMeta,
  ...
@ -83,7 +84,7 @@ in
    dgn-access-control.users.root = mkDefault admins;

    users.users = builtins.mapAttrs (_: members: {
-      openssh.authorizedKeys.keys = lib.extra.getAllKeys members;
+      openssh.authorizedKeys.keys = dgn-keys.getKeys members;
    }) cfg.users;
  };
 }
--- a/modules/dgn-backups/default.nix
+++ b/modules/dgn-backups/default.nix
@ -1,6 +1,7 @@
 {
  config,
  lib,
+  dgn-keys,
  name,
  ...
 }:
@ -103,15 +104,12 @@ in
        access = [
          {
            repo = "default";
-            keys = lib.extra.getAllKeys (
-              # Nodes allowed to create backups
-              builtins.map (host: "machines/${host}") [
-                "compute01"
-                "storage01"
-                "vault01"
-                "web01"
-              ]
-            );
+            keys = dgn-keys.getKeys [
+              "compute01"
+              "storage01"
+              "vault01"
+              "web01"
+            ];
            allowed = [ "put" ];
          }
        ];
@ -121,8 +119,7 @@ in
    };

    programs.ssh.knownHosts =
-      lib.extra.mapFuse
-        (host: { "${host}.dgnum".publicKey = builtins.head (lib.extra.getKeys "machines/${host}"); })
+      lib.extra.mapFuse (host: { "${host}.dgnum".publicKey = builtins.head dgn-keys._keys.${host}; })
        [
          "compute01"
          "geo01"
--- a/modules/dgn-backups/keys/secrets.nix
+++ b/modules/dgn-backups/keys/secrets.nix
@ -1,8 +1,4 @@
-let
-  lib = import ../../../lib { };
-in
-
-lib.setDefault { publicKeys = lib.rootKeys; } [
+(import ../../../keys).mkSecrets [ ] [
  "compute01.key"
  "storage01.key"
  "web01.key"
--- a/modules/dgn-netbox-agent/secrets.nix
+++ b/modules/dgn-netbox-agent/secrets.nix
@ -1 +1 @@
-{ netbox-agent.publicKeys = (import ../../lib { }).machineKeys; }
+{ netbox-agent.publicKeys = (import ../../keys).machineKeys; }
--- a/modules/dgn-notify/secrets.nix
+++ b/modules/dgn-notify/secrets.nix
@ -1 +1 @@
-{ mail.publicKeys = (import ../../lib { }).machineKeys; }
+{ mail.publicKeys = (import ../../keys).machineKeys; }
--- a/modules/dgn-records/secrets.nix
+++ b/modules/dgn-records/secrets.nix
@ -1 +1 @@
-{ __arkheon-token_file.publicKeys = (import ../../lib { }).machineKeys; }
+{ __arkheon-token_file.publicKeys = (import ../../keys).machineKeys; }
--- a/npins/sources.json
+++ b/npins/sources.json
@ -45,9 +45,9 @@
        "url": "https://git.dgnum.eu/DGNum/dgsi.git"
      },
      "branch": "main",
-      "revision": "129641cc1fdd657c070c54f3b93aa0cd7c5a5b1d",
+      "revision": "f6fcd90622151e116adedb41f53da0445f1ee387",
      "url": null,
-      "hash": "0s4bkj7y6iqch8xislxyx7w5rn0xz95rvj9gfwcvm3p7sqj92ldj"
+      "hash": "1rrm4j142h2dkphya34hg341xhklrdvqim35jy6g0152a7y1nkk4"
    },
    "disko": {
      "type": "GitRelease",
@ -194,20 +194,6 @@
      "url": "https://github.com/RaitoBezarius/microvm.nix/archive/49899c9a4fdf75320785e79709bf1608c34caeb8.tar.gz",
      "hash": "0sz6azdpiz4bd36x23bcdhx6mwyqj8zl5cczjgv48xqfmysy8zwy"
    },
-    "nix-lib": {
-      "type": "GitRelease",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.hubrecht.ovh/hubrecht/nix-lib"
-      },
-      "pre_releases": false,
-      "version_upper_bound": null,
-      "release_prefix": null,
-      "version": "0.1.6",
-      "revision": "ffb3dfa4c146d48300bd4fa625acfe48e091a734",
-      "url": null,
-      "hash": "1frsja071qqx6p7rjnijzhidqfylx0ipzqpmjdvj4jl89h34vrhr"
-    },
    "nix-modules": {
      "type": "Git",
      "repository": {
Author	SHA1	Message	Date
Tom Hubrecht	6c4099d369	feat(infra): Internalize nix-lib, and make keys management simpler All checks were successful build configuration / push_to_cache_web01 (pull_request) Successful in 2m21s Details build configuration / push_to_cache_krz01 (pull_request) Successful in 2m30s Details build configuration / push_to_cache_geo01 (pull_request) Successful in 1m8s Details build configuration / push_to_cache_web02 (pull_request) Successful in 1m17s Details Check meta / check_meta (push) Successful in 17s Details Check meta / check_dns (push) Successful in 17s Details build configuration / push_to_cache_geo02 (pull_request) Successful in 1m11s Details build configuration / push_to_cache_bridge01 (pull_request) Successful in 1m10s Details build configuration / push_to_cache_rescue01 (pull_request) Successful in 1m23s Details build configuration / build_storage01 (push) Successful in 1m16s Details build configuration / build_vault01 (push) Successful in 1m13s Details build configuration / build_compute01 (push) Successful in 1m20s Details build configuration / build_web01 (push) Successful in 1m38s Details build configuration / build_krz01 (push) Successful in 1m58s Details lint / check (push) Successful in 25s Details build configuration / build_web02 (push) Successful in 1m9s Details build configuration / build_geo01 (push) Successful in 1m9s Details build configuration / build_geo02 (push) Successful in 1m10s Details build configuration / build_rescue01 (push) Successful in 1m15s Details build configuration / build_bridge01 (push) Successful in 1m2s Details build configuration / push_to_cache_storage01 (push) Successful in 1m25s Details build configuration / push_to_cache_vault01 (push) Successful in 1m37s Details build configuration / push_to_cache_web02 (push) Successful in 1m21s Details build configuration / push_to_cache_compute01 (push) Successful in 1m56s Details build configuration / push_to_cache_web01 (push) Successful in 2m18s Details build configuration / push_to_cache_geo01 (push) Successful in 1m15s Details build configuration / push_to_cache_krz01 (push) Successful in 2m25s Details build configuration / push_to_cache_geo02 (push) Successful in 1m8s Details build configuration / push_to_cache_bridge01 (push) Successful in 1m8s Details build configuration / push_to_cache_rescue01 (push) Successful in 1m23s Details	2024-10-09 18:58:46 +02:00
Tom Hubrecht	53c865a335	fix(dgsi): Set to an existing version Some checks failed build configuration / build_storage01 (push) Successful in 1m19s Details build configuration / build_vault01 (push) Successful in 1m22s Details build configuration / build_web02 (push) Successful in 1m21s Details build configuration / build_compute01 (push) Successful in 1m28s Details build configuration / build_web01 (push) Successful in 1m52s Details build configuration / build_krz01 (push) Successful in 2m2s Details lint / check (push) Successful in 24s Details build configuration / build_bridge01 (push) Successful in 1m3s Details build configuration / build_geo02 (push) Successful in 1m7s Details build configuration / build_rescue01 (push) Successful in 1m12s Details build configuration / build_geo01 (push) Successful in 1m11s Details build configuration / push_to_cache_storage01 (push) Successful in 1m23s Details build configuration / push_to_cache_vault01 (push) Successful in 1m23s Details build configuration / push_to_cache_web02 (push) Successful in 1m15s Details build configuration / push_to_cache_compute01 (push) Successful in 1m54s Details build configuration / push_to_cache_web01 (push) Has been cancelled Details build configuration / push_to_cache_rescue01 (push) Has been cancelled Details build configuration / push_to_cache_geo02 (push) Has been cancelled Details build configuration / push_to_cache_bridge01 (push) Has been cancelled Details build configuration / push_to_cache_geo01 (push) Has been cancelled Details build configuration / push_to_cache_krz01 (push) Successful in 2m13s Details	2024-10-09 18:57:06 +02:00
Ryan Lahfa	34640d467b	feat(krz01): finish ollama integration and whisper.cpp Some checks failed build configuration / push_to_cache_web01 (pull_request) Successful in 2m10s Details build configuration / push_to_cache_web02 (pull_request) Successful in 1m17s Details build configuration / push_to_cache_rescue01 (pull_request) Successful in 1m16s Details build configuration / push_to_cache_bridge01 (pull_request) Successful in 1m4s Details build configuration / push_to_cache_geo02 (pull_request) Successful in 1m15s Details build configuration / build_krz01 (pull_request) Successful in 15m22s Details build configuration / push_to_cache_krz01 (pull_request) Successful in 2m5s Details Check meta / check_meta (push) Successful in 18s Details Check meta / check_dns (push) Successful in 18s Details build configuration / build_compute01 (push) Failing after 1m14s Details build configuration / push_to_cache_compute01 (push) Has been skipped Details build configuration / build_storage01 (push) Successful in 1m17s Details build configuration / build_vault01 (push) Successful in 1m10s Details build configuration / build_web01 (push) Successful in 1m38s Details build configuration / build_krz01 (push) Successful in 2m0s Details build configuration / build_web02 (push) Successful in 1m9s Details lint / check (push) Successful in 24s Details build configuration / build_geo01 (push) Successful in 1m5s Details build configuration / build_rescue01 (push) Successful in 1m13s Details build configuration / build_geo02 (push) Successful in 1m6s Details build configuration / build_bridge01 (push) Successful in 1m0s Details build configuration / push_to_cache_storage01 (push) Successful in 1m32s Details build configuration / push_to_cache_web02 (push) Successful in 1m29s Details build configuration / push_to_cache_geo01 (push) Successful in 1m17s Details build configuration / push_to_cache_vault01 (push) Successful in 1m51s Details build configuration / push_to_cache_web01 (push) Successful in 1m58s Details build configuration / push_to_cache_krz01 (push) Successful in 2m25s Details build configuration / push_to_cache_geo02 (push) Successful in 1m11s Details build configuration / push_to_cache_bridge01 (push) Successful in 1m7s Details build configuration / push_to_cache_rescue01 (push) Successful in 1m29s Details My sanity was used in the process. Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>	2024-10-09 13:59:05 +02:00
Ryan Lahfa	8441992408	feat(krz01): move to unstable Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>	2024-10-09 12:51:14 +02:00
Ryan Lahfa	4bedb3f497	feat(krz01): move the GPU stuff to the host for now We also add a K80 specific patch for ollama. Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>	2024-10-09 09:33:57 +02:00
Ryan Lahfa	8160b2762f	feat(krz01): passthrough the nVidia Tesla K80 in ml01 This way, no need for reboot. Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>	2024-10-09 09:33:57 +02:00
Ryan Lahfa	ebed6462f6	feat(krz01): introduce ML01 -- a machine learning VM I will add ollama on it later on and passthrough the GPU in there. Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>	2024-10-09 09:33:57 +02:00
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor`
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA`
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7`
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu`
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4`
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket`
				`@ -1,2 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4o65gWOgNrxbSd3kiQIGZUM+YD6kuZOQtblvzUGsfB root@krz01`
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf`
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ`