qbit/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/ollama: reformat with nixfmt-rfc-style

Browse Source
This commit is contained in:
abysssol 2024-07-23 22:24:02 -04:00
parent 1dde72d508
commit 246d1ee533
1 changed files with 97 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

168
nixos/modules/services/misc/ollama.nix
View File

@ -1,22 +1,37 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) literalExpression types mkBefore;
cfg = config.services.ollama;
ollamaPackage = cfg.package.override {
inherit (cfg) acceleration;
};
ollamaPackage = cfg.package.override { inherit (cfg) acceleration; };
staticUser = cfg.user != null && cfg.group != null;
in
{
imports = [
(lib.mkRemovedOptionModule [ "services" "ollama" "listenAddress" ]
"Use `services.ollama.host` and `services.ollama.port` instead.")
(lib.mkRemovedOptionModule [ "services" "ollama" "sandbox" ]
"Set `services.ollama.user` and `services.ollama.group` instead.")
(lib.mkRemovedOptionModule [ "services" "ollama" "writablePaths" ]
"The `models` directory is now always writable. To make other directories writable, use `systemd.services.ollama.serviceConfig.ReadWritePaths`." )
(lib.mkRemovedOptionModule [
"services"
"ollama"
"listenAddress"
] "Use `services.ollama.host` and `services.ollama.port` instead.")
(lib.mkRemovedOptionModule [
"services"
"ollama"
"sandbox"
] "Set `services.ollama.user` and `services.ollama.group` instead.")
(lib.mkRemovedOptionModule
[
"services"
"ollama"
"writablePaths"
]
"The `models` directory is now always writable. To make other directories writable, use `systemd.services.ollama.serviceConfig.ReadWritePaths`."
)
];
options = {
@ -84,7 +99,13 @@ in
'';
};
acceleration = lib.mkOption {
type = types.nullOr (types.enum [ false "rocm" "cuda" ]);
type = types.nullOr (
types.enum [
false
"rocm"
"cuda"
]
);
default = null;
example = "rocm";
description = ''
@ -150,13 +171,13 @@ in
};
config = lib.mkIf cfg.enable {
users = lib.mkIf staticUser {
users = lib.mkIf staticUser {
users.${cfg.user} = {
inherit (cfg) home;
isSystemUser = true;
group = cfg.group;
};
groups.${cfg.group} = {};
groups.${cfg.group} = { };
};
systemd.services.ollama = {
@ -169,64 +190,66 @@ in
OLLAMA_HOST = "${cfg.host}:${toString cfg.port}";
HSA_OVERRIDE_GFX_VERSION = lib.mkIf (cfg.rocmOverrideGfx != null) cfg.rocmOverrideGfx;
};
serviceConfig = lib.optionalAttrs staticUser {
User = cfg.user;
Group = cfg.group;
} // {
DynamicUser = true;
ExecStart = "${lib.getExe ollamaPackage} serve";
WorkingDirectory = cfg.home;
StateDirectory = [ "ollama" ];
ReadWritePaths = [
cfg.home
cfg.models
];
serviceConfig =
lib.optionalAttrs staticUser {
User = cfg.user;
Group = cfg.group;
}
// {
DynamicUser = true;
ExecStart = "${lib.getExe ollamaPackage} serve";
WorkingDirectory = cfg.home;
StateDirectory = [ "ollama" ];
ReadWritePaths = [
cfg.home
cfg.models
];
CapabilityBoundingSet = [ "" ];
DeviceAllow = [
# CUDA
# https://docs.nvidia.com/dgx/pdf/dgx-os-5-user-guide.pdf
"char-nvidiactl"
"char-nvidia-caps"
"char-nvidia-uvm"
# ROCm
"char-drm"
"char-kfd"
];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = false; # hides acceleration devices
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "all"; # /proc/meminfo
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
SupplementaryGroups = [ "render" ]; # for rocm to access /dev/dri/renderD* devices
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service @resources"
"~@privileged"
];
UMask = "0077";
};
CapabilityBoundingSet = [ "" ];
DeviceAllow = [
# CUDA
# https://docs.nvidia.com/dgx/pdf/dgx-os-5-user-guide.pdf
"char-nvidiactl"
"char-nvidia-caps"
"char-nvidia-uvm"
# ROCm
"char-drm"
"char-kfd"
];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = false; # hides acceleration devices
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "all"; # /proc/meminfo
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
SupplementaryGroups = [ "render" ]; # for rocm to access /dev/dri/renderD* devices
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service @resources"
"~@privileged"
];
UMask = "0077";
};
postStart = mkBefore ''
set -x
export OLLAMA_HOST=${lib.escapeShellArg cfg.host}:${builtins.toString cfg.port}
@ -242,5 +265,8 @@ in
environment.systemPackages = [ ollamaPackage ];
};
meta.maintainers = with lib.maintainers; [ abysssol onny ];
meta.maintainers = with lib.maintainers; [
abysssol
onny
];
}