ADDED: state for setting up OpenWebUI in a Podman container with strict firewall...

diff --git a/user_salt/llm/init.sls b/user_salt/llm/init.sls
new file mode 100644 (file)
index 0000000..61f42d6
--- /dev/null
+++ b/user_salt/llm/init.sls
@@ -0,0 +1,5 @@
+include:
+  - llm.llm--create-template
+  - llm.llm--install-packages
+  - llm.llm--create-qube
+  - llm.llm--configure-qube

diff --git a/user_salt/llm/llm--configure-qube.sls b/user_salt/llm/llm--configure-qube.sls
new file mode 100644 (file)
index 0000000..6bc2ad5
--- /dev/null
+++ b/user_salt/llm/llm--configure-qube.sls
@@ -0,0 +1,75 @@
+{% if grains['id'] == 'dom0' %}
+
+llm--configure-qube-firewall:
+  cmd.run:
+    - name: |
+        qvm-firewall q-llm reset
+        qvm-firewall q-llm del accept
+        qvm-firewall q-llm add accept specialtarget=dns
+        qvm-firewall q-llm add accept proto=icmp
+        qvm-firewall q-llm add accept ghcr.io proto=tcp
+        qvm-firewall q-llm add accept pkg-containers.githubusercontent.com proto=tcp
+        qvm-firewall q-llm add accept openrouter.ai proto=tcp
+        qvm-firewall q-llm add drop
+
+{% elif grains['id'] == 'q-llm' %}
+
+{% set username = 'user' %}
+{% set container_name = 'open-webui' %}
+{% set service_file_dir = '/home/' ~ username ~ '/.config/systemd/user/' %}
+{% set service_file = '/home/' ~ username ~ '/.config/systemd/user/container-' ~ container_name ~ '.service' %}
+{% set userid = salt['user.info'](username).uid %}
+{% set quadlet_file_dir = '/home/' ~ username ~ '/.config/containers/systemd/' %}
+{% set quadlet_file_path = quadlet_file_dir ~ container_name ~ '.container' %}
+
+{% set xdg_runtime_dir = '/run/user' + userid | string %}
+
+llm--create-quadlet-dir:
+  file.directory:
+    - name: /home/{{ username }}/.config/containers/systemd/
+    - user: {{ username }}
+    - group: {{ username }}
+    - makedirs: True
+
+llm--deploy-quadlet-file:
+  file.managed:
+    - name: /home/{{ username }}/.config/containers/systemd/open-webui.container
+    - contents: |
+        [Unit]
+        Description=Open WebUI container managed by Podman
+        
+        [Container]
+        Image=ghcr.io/open-webui/open-webui:ollama
+        PublishPort=3000:8080
+        Volume=ollama:/root/.ollama
+        Volume=open-webui:/app/backend/data
+        
+        [Service]
+        Restart=always
+        TimeoutStartSec=1800
+
+        [Install]
+        WantedBy=default.target
+    - user: {{ username }}
+    - group: {{ username }}
+    - mode: 644
+    - require:
+      - file: llm--create-quadlet-dir
+
+llm--enable-linger:
+  cmd.run:
+    - name: loginctl enable-linger user
+    - unless: loginctl show-user user | grep Linger=yes
+
+llm--reload-user-daemon:
+  cmd.run:
+    - name: |
+        systemctl --user daemon-reload
+    - runas: {{ username }}
+    - env:
+      - XDG_RUNTIME_DIR: /run/user/1000
+      - DBUS_SESSION_BUS_ADDRESS: unix:path=/run/user/1000/bus
+    - require:
+      - cmd: llm--enable-linger
+
+{% endif %}

diff --git a/user_salt/llm/llm--create-qube.sls b/user_salt/llm/llm--create-qube.sls
new file mode 100644 (file)
index 0000000..60006cf
--- /dev/null
+++ b/user_salt/llm/llm--create-qube.sls
@@ -0,0 +1,30 @@
+{% if grains['id'] == 'dom0' %}
+
+llm--create-qube:
+  qvm.vm:
+    - name: q-llm
+    - present:
+      - template: template-llm
+      - label: orange
+    - prefs:
+      - label: orange
+      - audiovm:
+      - guivm: dom0
+      - netvm: sys-vpn-mullvad
+      - memory: 4000
+      - maxmem: 8000
+      - vcpus: 4
+    - features:
+      - set:
+        - menu-items: xterm.desktop org.mozilla.firefox.desktop
+    - service:
+      - enable:
+        - shutdown-idle
+    - require:
+      - qvm: llm--create-template
+
+llm--extend-private-storage:
+  cmd.run:
+    - name: qvm-volume extend q-llm:private 10737418240
+
+{% endif %}

diff --git a/user_salt/llm/llm--create-template.sls b/user_salt/llm/llm--create-template.sls
new file mode 100644 (file)
index 0000000..bf827af
--- /dev/null
+++ b/user_salt/llm/llm--create-template.sls
@@ -0,0 +1,26 @@
+{% import "templates/versions.jinja" as version %}
+
+include:
+  - templates.templates--install-fedora-minimal
+
+{% if grains['id'] == 'dom0' %}
+
+llm--create-template:
+  qvm.clone:
+    - name: template-llm
+    - source: fedora-{{ version.fedora }}-minimal
+    - class: TemplateVM
+    - require:
+      - qvm: templates--install-fedora-{{ version.fedora }}-minimal
+
+llm--create-template-prefs:
+  qvm.prefs:
+    - name: template-llm
+    - label: orange 
+    - netvm:
+    - audiovm:
+    - guivm:
+    - require:
+      - qvm: llm--create-template
+
+{% endif %}

diff --git a/user_salt/llm/llm--install-packages.sls b/user_salt/llm/llm--install-packages.sls
new file mode 100644 (file)
index 0000000..5d33fc8
--- /dev/null
+++ b/user_salt/llm/llm--install-packages.sls
@@ -0,0 +1,11 @@
+{% if grains['id'] == 'template-llm' %}
+
+llm--install-packages:
+  pkg.installed:
+    - pkgs:
+      - qubes-core-agent-networking
+      - qubes-app-shutdown-idle
+      - podman
+      - firefox
+
+{% endif %}

diff --git a/user_salt/top.sls b/user_salt/top.sls
index 8bbe26c1f146717253fa1ee6b788e00e60908ff8..4b85dc95105a24a863e732d3d075fa197cd6a2c4 100644 (file)
--- a/user_salt/top.sls
+++ b/user_salt/top.sls
@@ -131,3 +131,6 @@ user:
   dom0 or sys-whonix:
     - sys-whonix
     - common.kernel.kernel--disable-sound
+  
+  dom0 or template-llm or q-llm:
+    - llm