Thank you for that. Yes, I only really follow his post roughly.

Unfortunately, I don’t think secureblue is going to be a possible choice. I like the secureblue project, I think it’s awesome but what I’m working with will likely only come with a Rocky/AlmaLinux base.

You raise a valid point. In which case, I want to try and prevent malicious privilege escalation by a process on this system. I know that’s a broad topic and depends on the application being run, but most of the tweaks I’ve listed work towards that to an extent.

To be precise, I’m asking how to harden the upcoming AlmaLinux based Dom0 by the XCP-NG project. I want my system to be difficult to work with even if someone breaks into it (unlikely because I trust Xen as a hypervisor platform but still).

I admit I was a bit surprised by the question since I’ve never consciously thought about a reason to harden my OS. I always just want to do it and wonder why OSes aren’t hardened more by default.

What do you mean? I want to harden it in a general sense against exploitation

Thank you for the note. I’m been cursing myself for not being able to provide my devs with something similar (they don’t complain but I know it will make their lives easier). I will start nix from scratch if I learn it but nixops definitely seems like it can help because terraform isn’t that great at the example you provided. Thanks.

focused on security hardening

Could you elaborate?

I am serious. I am a cloud engineer (glorified system admin for cloud + Linux VMs) and I’m still stuck on Ansible + Terraform (stuck isn’t the right word, we are a RHEL and Alpine shop for our VMs and Containers and things work well enough). My friends in bigger companies are using Nix though, but I was always scared of the learning curve. I want to see clear benefits of using nix so I can push myself to actually learn it, which is why I asked. Thanks for the link.

Please tell me more about your work and how you use Nix in it. I’m interested.

Have you tried bigger models?

Haha I know

Well I guess if you have a GPU then Ryzen Zen 3 processors are better bang for the buck

That’s great to know. Do you regret not having the performance of Nvidia? I would prefer not to buy green but I’m not sure from the comments about the delta in performance from ROCM vs CUDA

I’m not the OP, and yeah I saw that too. Thanks

I see. Thanks

How quantized? I don’t think 16GB of RAM is enough to run a full fat 12B model at FP16 but maybe I’m wrong.

Nvidia cards are just too expensive

How do you not configure the network stack? If you have an Intel NIC on the motherboard/any PCIE lanes in theory it should be able to connect.

What worries me is that someone could perform a reverse shell on my system with/in addition to a magic packet and get full ring 0 access to my system. I’m investigating network monitoring tools that can help me find traces of ME on my network.

Because it lets us disable Intel ME

I think Ollama supported ROCM especially with the older AMD cards?

I think pcpartpicker has different options to share with similar formatting that you could paste.

Why did you decide to change the motherboard? Is it because of Intel’s issues with their chips? Wouldn’t that problem be fixed with their microcode patch if you buy now?

I couldn’t find a 9070XT at around MSRP anywhere, I wanted to use them in a combination with other GPUs for AI. Know where I can find some?

I work on Linux and use Linux at home. I’ll try to go through the problems you mentioned:

1. Just run the update command again in the GUI or terminal. If it doesn’t work, we’ll have to dig into apt with verbose logs but I haven’t had apt break on me for over a decade unless I deleted something I shouldn’t have.
2. Is Firefox installed as a snap/flatpak? That only happens with me occasionally when I installed flatpaks, they’re just slower. Canonical can be a real arse about this stuff, they might switch packages to snaps without telling you and you might only come to know about it once you dig deeper.
3. All of these issues seem to related to your storage medium. Is the SSD OK? Open up the process monitor, sort by ascending order of disk writes/reads and open your applications one by one to see which one of them is the culprit.
4. Rebooting suddenly is not normal. Unfortunately, you’ll have to go through logs for this one. Simple ones are dmesg and journalctl, we can dig deeper into them if you want to.

If I had my hands on your laptop I’d be running a vulnerability scan by now but I don’t think the problem is serious enough to warrant it.