From 246d1ee533810ac1946d863bbd9de9b525818d56 Mon Sep 17 00:00:00 2001 From: abysssol Date: Tue, 23 Jul 2024 22:24:02 -0400 Subject: [PATCH 1/3] nixos/ollama: reformat with `nixfmt-rfc-style` --- nixos/modules/services/misc/ollama.nix | 168 ++++++++++++++----------- 1 file changed, 97 insertions(+), 71 deletions(-) diff --git a/nixos/modules/services/misc/ollama.nix b/nixos/modules/services/misc/ollama.nix index 07031a082344..d545b15e5e1a 100644 --- a/nixos/modules/services/misc/ollama.nix +++ b/nixos/modules/services/misc/ollama.nix @@ -1,22 +1,37 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let inherit (lib) literalExpression types mkBefore; cfg = config.services.ollama; - ollamaPackage = cfg.package.override { - inherit (cfg) acceleration; - }; + ollamaPackage = cfg.package.override { inherit (cfg) acceleration; }; staticUser = cfg.user != null && cfg.group != null; in { imports = [ - (lib.mkRemovedOptionModule [ "services" "ollama" "listenAddress" ] - "Use `services.ollama.host` and `services.ollama.port` instead.") - (lib.mkRemovedOptionModule [ "services" "ollama" "sandbox" ] - "Set `services.ollama.user` and `services.ollama.group` instead.") - (lib.mkRemovedOptionModule [ "services" "ollama" "writablePaths" ] - "The `models` directory is now always writable. To make other directories writable, use `systemd.services.ollama.serviceConfig.ReadWritePaths`." ) + (lib.mkRemovedOptionModule [ + "services" + "ollama" + "listenAddress" + ] "Use `services.ollama.host` and `services.ollama.port` instead.") + (lib.mkRemovedOptionModule [ + "services" + "ollama" + "sandbox" + ] "Set `services.ollama.user` and `services.ollama.group` instead.") + (lib.mkRemovedOptionModule + [ + "services" + "ollama" + "writablePaths" + ] + "The `models` directory is now always writable. To make other directories writable, use `systemd.services.ollama.serviceConfig.ReadWritePaths`." + ) ]; options = { @@ -84,7 +99,13 @@ in ''; }; acceleration = lib.mkOption { - type = types.nullOr (types.enum [ false "rocm" "cuda" ]); + type = types.nullOr ( + types.enum [ + false + "rocm" + "cuda" + ] + ); default = null; example = "rocm"; description = '' @@ -150,13 +171,13 @@ in }; config = lib.mkIf cfg.enable { - users = lib.mkIf staticUser { + users = lib.mkIf staticUser { users.${cfg.user} = { inherit (cfg) home; isSystemUser = true; group = cfg.group; }; - groups.${cfg.group} = {}; + groups.${cfg.group} = { }; }; systemd.services.ollama = { @@ -169,64 +190,66 @@ in OLLAMA_HOST = "${cfg.host}:${toString cfg.port}"; HSA_OVERRIDE_GFX_VERSION = lib.mkIf (cfg.rocmOverrideGfx != null) cfg.rocmOverrideGfx; }; - serviceConfig = lib.optionalAttrs staticUser { - User = cfg.user; - Group = cfg.group; - } // { - DynamicUser = true; - ExecStart = "${lib.getExe ollamaPackage} serve"; - WorkingDirectory = cfg.home; - StateDirectory = [ "ollama" ]; - ReadWritePaths = [ - cfg.home - cfg.models - ]; + serviceConfig = + lib.optionalAttrs staticUser { + User = cfg.user; + Group = cfg.group; + } + // { + DynamicUser = true; + ExecStart = "${lib.getExe ollamaPackage} serve"; + WorkingDirectory = cfg.home; + StateDirectory = [ "ollama" ]; + ReadWritePaths = [ + cfg.home + cfg.models + ]; - CapabilityBoundingSet = [ "" ]; - DeviceAllow = [ - # CUDA - # https://docs.nvidia.com/dgx/pdf/dgx-os-5-user-guide.pdf - "char-nvidiactl" - "char-nvidia-caps" - "char-nvidia-uvm" - # ROCm - "char-drm" - "char-kfd" - ]; - DevicePolicy = "closed"; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateDevices = false; # hides acceleration devices - PrivateTmp = true; - PrivateUsers = true; - ProcSubset = "all"; # /proc/meminfo - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProtectSystem = "strict"; - RemoveIPC = true; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - "AF_UNIX" - ]; - SupplementaryGroups = [ "render" ]; # for rocm to access /dev/dri/renderD* devices - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service @resources" - "~@privileged" - ]; - UMask = "0077"; - }; + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ + # CUDA + # https://docs.nvidia.com/dgx/pdf/dgx-os-5-user-guide.pdf + "char-nvidiactl" + "char-nvidia-caps" + "char-nvidia-uvm" + # ROCm + "char-drm" + "char-kfd" + ]; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = false; # hides acceleration devices + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "all"; # /proc/meminfo + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + SupplementaryGroups = [ "render" ]; # for rocm to access /dev/dri/renderD* devices + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service @resources" + "~@privileged" + ]; + UMask = "0077"; + }; postStart = mkBefore '' set -x export OLLAMA_HOST=${lib.escapeShellArg cfg.host}:${builtins.toString cfg.port} @@ -242,5 +265,8 @@ in environment.systemPackages = [ ollamaPackage ]; }; - meta.maintainers = with lib.maintainers; [ abysssol onny ]; + meta.maintainers = with lib.maintainers; [ + abysssol + onny + ]; } From 339d0cd68c5135bf6dbde360b46570324f8e3685 Mon Sep 17 00:00:00 2001 From: abysssol Date: Tue, 23 Jul 2024 23:05:25 -0400 Subject: [PATCH 2/3] nixos/ollama: update `.git-blame-ignore-revs` --- .git-blame-ignore-revs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs index e8d367705d3b..f6ffeb9b122a 100644 --- a/.git-blame-ignore-revs +++ b/.git-blame-ignore-revs @@ -150,3 +150,6 @@ ff5c8f6cc3d1f2e017e86d50965c14b71f00567b # ollama: format with nixfmt-rfc-style (#329353) bdfde18037f8d9f9b641a4016c8ada4dc4cbf856 + +# nixos/ollama: format with nixfmt-rfc-style (#329561) +246d1ee533810ac1946d863bbd9de9b525818d56 From 084f6a3e260a9576c955137ff44b2e6d4fac6891 Mon Sep 17 00:00:00 2001 From: abysssol Date: Tue, 23 Jul 2024 22:26:43 -0400 Subject: [PATCH 3/3] nixos/ollama: make `rocmOverrideGfx` backward compatible The initial version of `rocmOverrideGfx` incorrectly used `lib.mkIf` in an attempt to prevent interference with previous uses of `environmentVariables.HSA_OVERRIDE_GFX_VERSION`. However, the effect was actually to simply erase existing definitions of `HSA_OVERRIDE_GFX_VERSION` until `rocmOverrideGfx` was set, which was the situation I was trying to avoid in the first place. This fixes the bug by switching from `lib.mkIf` to `lib.optionalAttrs`. --- nixos/modules/services/misc/ollama.nix | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/nixos/modules/services/misc/ollama.nix b/nixos/modules/services/misc/ollama.nix index d545b15e5e1a..06c4869ec7bb 100644 --- a/nixos/modules/services/misc/ollama.nix +++ b/nixos/modules/services/misc/ollama.nix @@ -184,12 +184,16 @@ in description = "Server for local large language models"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - environment = cfg.environmentVariables // { - HOME = cfg.home; - OLLAMA_MODELS = cfg.models; - OLLAMA_HOST = "${cfg.host}:${toString cfg.port}"; - HSA_OVERRIDE_GFX_VERSION = lib.mkIf (cfg.rocmOverrideGfx != null) cfg.rocmOverrideGfx; - }; + environment = + cfg.environmentVariables + // { + HOME = cfg.home; + OLLAMA_MODELS = cfg.models; + OLLAMA_HOST = "${cfg.host}:${toString cfg.port}"; + } + // lib.optionalAttrs (cfg.rocmOverrideGfx != null) { + HSA_OVERRIDE_GFX_VERSION = cfg.rocmOverrideGfx; + }; serviceConfig = lib.optionalAttrs staticUser { User = cfg.user;