| 20 Jun 2025 |
 connor (burnt/out) (UTC-8) | Looks like eval time for ‘release-cuda.nix` shot up from 7s to 25s on the PR branch I have which fixes package set leakage | 18:45:00 |
 Gaétan Lepage | Ok thanks! And good luck with the eval ;) | 19:11:37 |
| 22 Jun 2025 |
|  SomeoneSerge (matrix works sometimes) changed their display name from SomeoneSerge (UTC+U[-12,12]) to SomeoneSerge (Ever OOMed by Element). | 12:12:55 |
|  @niten:fudo.im joined the room. | 16:55:22 |
| 23 Jun 2025 |
|  lon joined the room. | 08:55:01 |
| lon | Hi! I have a question, would anybody be interested in a services.vllm module? I was working on running it as systemd service and hardening it and I'm happy with the result... | 08:57:13 |
| lon | Download vllm.nix | 08:58:43 |
| lon | (I've never contributed to nixpkgs, so I'm not sure how high quality is this) | 08:59:15 |
| lon | The interesting part is
MemoryDenyWriteExecute = false; # Needed for CUDA/PyTorch JIT
PrivateDevices = false; # Needed for GPU access
RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK"];
DevicePolicy = "closed"; # Only allow the following devices, based on strace usage:
DeviceAllow = lib.flatten [
# Basic devices
"/dev/null rw"
"/dev/urandom r"
"/dev/tty rw"
# NVIDIA control devices
"/dev/nvidiactl rw"
"/dev/nvidia-modeset rw"
"/dev/nvidia-uvm rw"
"/dev/nvidia-uvm-tools rw"
(builtins.map (i: "/dev/nvidia${builtins.toString i} rw") (lib.splitString " " cfg.cudaDevices))
# NVIDIA capability devices
"/dev/nvidia-caps/nvidia-cap1 r"
"/dev/nvidia-caps/nvidia-cap2 r"
];
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
RestrictNamespaces = true;
LockPersonality = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
PrivateUsers = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectClock = true;
ProtectProc = "invisible";
UMask = "0077";
CapabilityBoundingSet = ["CAP_SYS_NICE"];
AmbientCapabilities = ["CAP_SYS_NICE"];
| 09:06:10 |
| connor (burnt/out) (UTC-8) | Two things I've promised to look at today:
- Bumping the version of protobuf used by OpenCV, which hasn't been updated in a while (need to backport to 25.05 as well).
- Figuring out how to revert https://github.com/NixOS/nixpkgs/pull/414647 in a way that doesn't break consumers of OpenCV -- really don't want
cudatoolkit propagated to all consumers of OpenCV.
| 17:30:42 |
| 24 Jun 2025 |
| connor (burnt/out) (UTC-8) | :L | 23:45:47 |
| connor (burnt/out) (UTC-8) | https://github.com/NixOS/nixpkgs/blob/5d0aa4675f7a35ec9661325d1dc22dfcbba5d040/pkgs/development/python-modules/warp-lang/default.nix#L100 is wrong; there's no bsd license | 23:45:58 |
