qbit/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/ollama: reformat with nixfmt-rfc-style

Browse Source
This commit is contained in:
abysssol 2024-07-23 22:24:02 -04:00
parent 1dde72d508
commit 246d1ee533
1 changed files with 97 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

168
nixos/modules/services/misc/ollama.nix
View File

@ -1,22 +1,37 @@
{ config, lib, pkgs, ... }: {
config,
lib,
pkgs,
...
}:
let let
inherit (lib) literalExpression types mkBefore; inherit (lib) literalExpression types mkBefore;
cfg = config.services.ollama; cfg = config.services.ollama;
ollamaPackage = cfg.package.override { ollamaPackage = cfg.package.override { inherit (cfg) acceleration; };
inherit (cfg) acceleration;
};
staticUser = cfg.user != null && cfg.group != null; staticUser = cfg.user != null && cfg.group != null;
in in
{ {
imports = [ imports = [
(lib.mkRemovedOptionModule [ "services" "ollama" "listenAddress" ] (lib.mkRemovedOptionModule [
"Use `services.ollama.host` and `services.ollama.port` instead.") "services"
(lib.mkRemovedOptionModule [ "services" "ollama" "sandbox" ] "ollama"
"Set `services.ollama.user` and `services.ollama.group` instead.") "listenAddress"
(lib.mkRemovedOptionModule [ "services" "ollama" "writablePaths" ] ] "Use `services.ollama.host` and `services.ollama.port` instead.")
"The `models` directory is now always writable. To make other directories writable, use `systemd.services.ollama.serviceConfig.ReadWritePaths`." ) (lib.mkRemovedOptionModule [
"services"
"ollama"
"sandbox"
] "Set `services.ollama.user` and `services.ollama.group` instead.")
(lib.mkRemovedOptionModule
[
"services"
"ollama"
"writablePaths"
]
"The `models` directory is now always writable. To make other directories writable, use `systemd.services.ollama.serviceConfig.ReadWritePaths`."
)
]; ];
options = { options = {
@ -84,7 +99,13 @@ in
''; '';
}; };
acceleration = lib.mkOption { acceleration = lib.mkOption {
type = types.nullOr (types.enum [ false "rocm" "cuda" ]); type = types.nullOr (
types.enum [
false
"rocm"
"cuda"
]
);
default = null; default = null;
example = "rocm"; example = "rocm";
description = '' description = ''
@ -150,13 +171,13 @@ in
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
users = lib.mkIf staticUser { users = lib.mkIf staticUser {
users.${cfg.user} = { users.${cfg.user} = {
inherit (cfg) home; inherit (cfg) home;
isSystemUser = true; isSystemUser = true;
group = cfg.group; group = cfg.group;
}; };
groups.${cfg.group} = {}; groups.${cfg.group} = { };
}; };
systemd.services.ollama = { systemd.services.ollama = {
@ -169,64 +190,66 @@ in
OLLAMA_HOST = "${cfg.host}:${toString cfg.port}"; OLLAMA_HOST = "${cfg.host}:${toString cfg.port}";
HSA_OVERRIDE_GFX_VERSION = lib.mkIf (cfg.rocmOverrideGfx != null) cfg.rocmOverrideGfx; HSA_OVERRIDE_GFX_VERSION = lib.mkIf (cfg.rocmOverrideGfx != null) cfg.rocmOverrideGfx;
}; };
serviceConfig = lib.optionalAttrs staticUser { serviceConfig =
User = cfg.user; lib.optionalAttrs staticUser {
Group = cfg.group; User = cfg.user;
} // { Group = cfg.group;
DynamicUser = true; }
ExecStart = "${lib.getExe ollamaPackage} serve"; // {
WorkingDirectory = cfg.home; DynamicUser = true;
StateDirectory = [ "ollama" ]; ExecStart = "${lib.getExe ollamaPackage} serve";
ReadWritePaths = [ WorkingDirectory = cfg.home;
cfg.home StateDirectory = [ "ollama" ];
cfg.models ReadWritePaths = [
]; cfg.home
cfg.models
];
CapabilityBoundingSet = [ "" ]; CapabilityBoundingSet = [ "" ];
DeviceAllow = [ DeviceAllow = [
# CUDA # CUDA
# https://docs.nvidia.com/dgx/pdf/dgx-os-5-user-guide.pdf # https://docs.nvidia.com/dgx/pdf/dgx-os-5-user-guide.pdf
"char-nvidiactl" "char-nvidiactl"
"char-nvidia-caps" "char-nvidia-caps"
"char-nvidia-uvm" "char-nvidia-uvm"
# ROCm # ROCm
"char-drm" "char-drm"
"char-kfd" "char-kfd"
]; ];
DevicePolicy = "closed"; DevicePolicy = "closed";
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
NoNewPrivileges = true; NoNewPrivileges = true;
PrivateDevices = false; # hides acceleration devices PrivateDevices = false; # hides acceleration devices
PrivateTmp = true; PrivateTmp = true;
PrivateUsers = true; PrivateUsers = true;
ProcSubset = "all"; # /proc/meminfo ProcSubset = "all"; # /proc/meminfo
ProtectClock = true; ProtectClock = true;
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectHome = true; ProtectHome = true;
ProtectHostname = true; ProtectHostname = true;
ProtectKernelLogs = true; ProtectKernelLogs = true;
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
ProtectProc = "invisible"; ProtectProc = "invisible";
ProtectSystem = "strict"; ProtectSystem = "strict";
RemoveIPC = true; RemoveIPC = true;
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
RestrictAddressFamilies = [ RestrictAddressFamilies = [
"AF_INET" "AF_INET"
"AF_INET6" "AF_INET6"
"AF_UNIX" "AF_UNIX"
]; ];
SupplementaryGroups = [ "render" ]; # for rocm to access /dev/dri/renderD* devices SupplementaryGroups = [ "render" ]; # for rocm to access /dev/dri/renderD* devices
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = [ SystemCallFilter = [
"@system-service @resources" "@system-service @resources"
"~@privileged" "~@privileged"
]; ];
UMask = "0077"; UMask = "0077";
}; };
postStart = mkBefore '' postStart = mkBefore ''
set -x set -x
export OLLAMA_HOST=${lib.escapeShellArg cfg.host}:${builtins.toString cfg.port} export OLLAMA_HOST=${lib.escapeShellArg cfg.host}:${builtins.toString cfg.port}
@ -242,5 +265,8 @@ in
environment.systemPackages = [ ollamaPackage ]; environment.systemPackages = [ ollamaPackage ];
}; };
meta.maintainers = with lib.maintainers; [ abysssol onny ]; meta.maintainers = with lib.maintainers; [
abysssol
onny
];
} }