From: Andreas Glashauser <ag@andreasglashauser.com>
Date: Tue, 1 Apr 2025 08:15:09 +0000 (+0200)
Subject: ADDED: states for setting up OpenWebUI in a Podman container with strict firewall... 
X-Git-Url: https://git.andreasglashauser.com/?a=commitdiff_plain;h=3383386639527f1bebc57d2cb46b0b98b4c7bb67;p=salt-qubes.git

ADDED: states for setting up OpenWebUI in a Podman container with strict firewall rules
---

diff --git a/user_salt/openwebui/init.sls b/user_salt/openwebui/init.sls
new file mode 100644
index 0000000..69474a0
--- /dev/null
+++ b/user_salt/openwebui/init.sls
@@ -0,0 +1,5 @@
+include:
+  - openwebui.openwebui--create-template
+  - openwebui.openwebui--install-packages
+  - openwebui.openwebui--create-qube
+  - openwebui.openwebui--configure-qube
diff --git a/user_salt/openwebui/openwebui--configure-qube.sls b/user_salt/openwebui/openwebui--configure-qube.sls
new file mode 100644
index 0000000..399fd2e
--- /dev/null
+++ b/user_salt/openwebui/openwebui--configure-qube.sls
@@ -0,0 +1,75 @@
+{% if grains['id'] == 'dom0' %}
+
+openwebui--configure-qube-firewall:
+  cmd.run:
+    - name: |
+        qvm-firewall q-openwebui reset
+        qvm-firewall q-openwebui del accept
+        qvm-firewall q-openwebui add accept specialtarget=dns
+        qvm-firewall q-openwebui add accept proto=icmp
+        qvm-firewall q-openwebui add accept ghcr.io proto=tcp
+        qvm-firewall q-openwebui add accept pkg-containers.githubusercontent.com proto=tcp
+        qvm-firewall q-openwebui add accept openrouter.ai proto=tcp
+        qvm-firewall q-openwebui add drop
+
+{% elif grains['id'] == 'q-openwebui' %}
+
+{% set username = 'user' %}
+{% set container_name = 'open-webui' %}
+{% set service_file_dir = '/home/' ~ username ~ '/.config/systemd/user/' %}
+{% set service_file = '/home/' ~ username ~ '/.config/systemd/user/container-' ~ container_name ~ '.service' %}
+{% set userid = salt['user.info'](username).uid %}
+{% set quadlet_file_dir = '/home/' ~ username ~ '/.config/containers/systemd/' %}
+{% set quadlet_file_path = quadlet_file_dir ~ container_name ~ '.container' %}
+
+{% set xdg_runtime_dir = '/run/user' + userid | string %}
+
+openwebui--create-quadlet-dir:
+  file.directory:
+    - name: /home/{{ username }}/.config/containers/systemd/
+    - user: {{ username }}
+    - group: {{ username }}
+    - makedirs: True
+
+openwebui--deploy-quadlet-file:
+  file.managed:
+    - name: /home/{{ username }}/.config/containers/systemd/open-webui.container
+    - contents: |
+        [Unit]
+        Description=Open WebUI container managed by Podman
+        
+        [Container]
+        Image=ghcr.io/open-webui/open-webui:ollama
+        PublishPort=3000:8080
+        Volume=ollama:/root/.ollama
+        Volume=open-webui:/app/backend/data
+        
+        [Service]
+        Restart=always
+        TimeoutStartSec=1800
+
+        [Install]
+        WantedBy=default.target
+    - user: {{ username }}
+    - group: {{ username }}
+    - mode: 644
+    - require:
+      - file: openwebui--create-quadlet-dir
+
+openwebui--enable-linger:
+  cmd.run:
+    - name: loginctl enable-linger user
+    - unless: loginctl show-user user | grep Linger=yes
+
+openwebui--reload-user-daemon:
+  cmd.run:
+    - name: |
+        systemctl --user daemon-reload
+    - runas: {{ username }}
+    - env:
+      - XDG_RUNTIME_DIR: /run/user/1000
+      - DBUS_SESSION_BUS_ADDRESS: unix:path=/run/user/1000/bus
+    - require:
+      - cmd: openwebui--enable-linger
+
+{% endif %}
diff --git a/user_salt/openwebui/openwebui--create-qube.sls b/user_salt/openwebui/openwebui--create-qube.sls
new file mode 100644
index 0000000..3124097
--- /dev/null
+++ b/user_salt/openwebui/openwebui--create-qube.sls
@@ -0,0 +1,31 @@
+{% if grains['id'] == 'dom0' %}
+
+openwebui--create-qube:
+  qvm.vm:
+    - name: q-openwebui
+    - present:
+      - template: template-openwebui
+      - label: orange
+    - prefs:
+      - label: orange
+      - autostart: True 
+      - audiovm:
+      - guivm: dom0
+      - netvm: sys-vpn-mullvad
+      - memory: 4000
+      - maxmem: 6000
+      - vcpus: 4
+    - features:
+      - set:
+        - menu-items: xterm.desktop org.mozilla.firefox.desktop
+    - service:
+      - enable:
+        - shutdown-idle
+    - require:
+      - qvm: openwebui--create-template
+
+openwebui--extend-private-storage:
+  cmd.run:
+    - name: qvm-volume extend q-openwebui:private 10737418240
+
+{% endif %}
diff --git a/user_salt/openwebui/openwebui--create-template.sls b/user_salt/openwebui/openwebui--create-template.sls
new file mode 100644
index 0000000..41d8deb
--- /dev/null
+++ b/user_salt/openwebui/openwebui--create-template.sls
@@ -0,0 +1,26 @@
+{% import "templates/versions.jinja" as version %}
+
+include:
+  - templates.templates--install-fedora-minimal
+
+{% if grains['id'] == 'dom0' %}
+
+openwebui-create-template:
+  qvm.clone:
+    - name: template-openwebui
+    - source: fedora-{{ version.fedora }}-minimal
+    - class: TemplateVM
+    - require:
+      - qvm: templates--install-fedora-{{ version.fedora }}-minimal
+
+openwebui--create-template-prefs:
+  qvm.prefs:
+    - name: template-openwebui
+    - label: orange 
+    - netvm:
+    - audiovm:
+    - guivm:
+    - require:
+      - qvm: openwebui--create-template
+
+{% endif %}
diff --git a/user_salt/openwebui/openwebui--install-packages.sls b/user_salt/openwebui/openwebui--install-packages.sls
new file mode 100644
index 0000000..892d6bf
--- /dev/null
+++ b/user_salt/openwebui/openwebui--install-packages.sls
@@ -0,0 +1,11 @@
+{% if grains['id'] == 'template-openwebui' %}
+
+openwebui--install-packages:
+  pkg.installed:
+    - pkgs:
+      - qubes-core-agent-networking
+      - qubes-app-shutdown-idle
+      - podman
+      - firefox
+
+{% endif %}