nix-ai/containers/buildMachine.nix

{ lib, ... }: let
  gpuCount = builtins.length (builtins.filter (v: builtins.pathExists v) (map (i: "/dev/nvidia${toString i}") (lib.range 0 7)));
in {
  containers.builder = let
    nvidiaDevices = [
      "/dev/nvidiactl"
      "/dev/nvidia-uvm"
      "/dev/nvidia-uvm-tools"
    ] ++ (map (i: "/dev/nvidia${toString i}") (lib.range 0 (gpuCount - 1)));
  in {
    autoStart = true;
    hostBridge = "br0";
    localAddress = "10.23.22.11";
    extraFlags = map (v: "--bind=${v}" ) nvidiaDevices;

    allowedDevices = map (v: {
      modifier = "rw";
      node = v;
    }) nvidiaDevices;

    forwardPorts = [{
      containerPort = 12;
      hostPort = 12;
      protocol = "tcp";
    }];

    config = { nixosModules, config, pkgs, ... }: {
      imports = [ nixosModules.buildMachine ];

      networking = {
        hostName = "buildMachine";
        firewall.allowedTCPPorts = config.services.openssh.ports;
      };

      services.openssh = {
        ports = [ 12 ];
        extraConfig = "StreamLocalBindUnlink yes";
        hostKeys = lib.mkDefault [
          {
            path = "/etc/ssh/ssh_host_ed25519_key";
            type = "ed25519";
          }
          {
            path = "/etc/ssh/ssh_host_ecdsa_key";
            type = "ecdsa";
          }
        ];

        settings = {
          ChallengeResponseAuthentication = "no";
          ClientAliveCountMax = 2;
          Compression = "NO";
          IgnoreRhosts = "yes";
          LogLevel = "VERBOSE";
          MaxAuthTries = 3;
          MaxSessions = 2;
          PasswordAuthentication = false;
          PermitEmptyPasswords = "no";
          PermitRootLogin = "no";
          X11Forwarding = false;
          AllowAgentForwarding = "no";
          AllowTcpForwarding = "no";
          PermitTTY = "no";
          KexAlgorithms = [
            "curve25519-sha256"
            "curve25519-sha256@libssh.org"
            "diffie-hellman-group-exchange-sha256"
            "diffie-hellman-group14-sha1"
            "ecdh-sha2-nistp256"
            "ecdh-sha2-nistp384"
            "ecdh-sha2-nistp521"
            "sntrup761x25519-sha512@openssh.com"
          ];

          Macs = [
            "hmac-sha2-512-etm@openssh.com"
            "hmac-sha2-256-etm@openssh.com"
            "umac-128-etm@openssh.com"
          ];
        };
      };

      nix = {
        inherit gpuCount;
        gpuSupport = true;
        buildUser = true;
      };
    };
  };
}