From 74dbdf95d0f06df1292f989b6510121565762a90 Mon Sep 17 00:00:00 2001 From: Andreas Glashauser Date: Sat, 29 Mar 2025 16:32:11 +0100 Subject: [PATCH] ADDED: state for setting up OpenWebUI in a Podman container with strict firewall rules --- user_salt/llm/init.sls | 5 ++ user_salt/llm/llm--configure-qube.sls | 75 +++++++++++++++++++++++++ user_salt/llm/llm--create-qube.sls | 30 ++++++++++ user_salt/llm/llm--create-template.sls | 26 +++++++++ user_salt/llm/llm--install-packages.sls | 11 ++++ user_salt/top.sls | 3 + 6 files changed, 150 insertions(+) create mode 100644 user_salt/llm/init.sls create mode 100644 user_salt/llm/llm--configure-qube.sls create mode 100644 user_salt/llm/llm--create-qube.sls create mode 100644 user_salt/llm/llm--create-template.sls create mode 100644 user_salt/llm/llm--install-packages.sls diff --git a/user_salt/llm/init.sls b/user_salt/llm/init.sls new file mode 100644 index 0000000..61f42d6 --- /dev/null +++ b/user_salt/llm/init.sls @@ -0,0 +1,5 @@ +include: + - llm.llm--create-template + - llm.llm--install-packages + - llm.llm--create-qube + - llm.llm--configure-qube diff --git a/user_salt/llm/llm--configure-qube.sls b/user_salt/llm/llm--configure-qube.sls new file mode 100644 index 0000000..6bc2ad5 --- /dev/null +++ b/user_salt/llm/llm--configure-qube.sls @@ -0,0 +1,75 @@ +{% if grains['id'] == 'dom0' %} + +llm--configure-qube-firewall: + cmd.run: + - name: | + qvm-firewall q-llm reset + qvm-firewall q-llm del accept + qvm-firewall q-llm add accept specialtarget=dns + qvm-firewall q-llm add accept proto=icmp + qvm-firewall q-llm add accept ghcr.io proto=tcp + qvm-firewall q-llm add accept pkg-containers.githubusercontent.com proto=tcp + qvm-firewall q-llm add accept openrouter.ai proto=tcp + qvm-firewall q-llm add drop + +{% elif grains['id'] == 'q-llm' %} + +{% set username = 'user' %} +{% set container_name = 'open-webui' %} +{% set service_file_dir = '/home/' ~ username ~ '/.config/systemd/user/' %} +{% set service_file = '/home/' ~ username ~ '/.config/systemd/user/container-' ~ container_name ~ '.service' %} +{% set userid = salt['user.info'](username).uid %} +{% set quadlet_file_dir = '/home/' ~ username ~ '/.config/containers/systemd/' %} +{% set quadlet_file_path = quadlet_file_dir ~ container_name ~ '.container' %} + +{% set xdg_runtime_dir = '/run/user' + userid | string %} + +llm--create-quadlet-dir: + file.directory: + - name: /home/{{ username }}/.config/containers/systemd/ + - user: {{ username }} + - group: {{ username }} + - makedirs: True + +llm--deploy-quadlet-file: + file.managed: + - name: /home/{{ username }}/.config/containers/systemd/open-webui.container + - contents: | + [Unit] + Description=Open WebUI container managed by Podman + + [Container] + Image=ghcr.io/open-webui/open-webui:ollama + PublishPort=3000:8080 + Volume=ollama:/root/.ollama + Volume=open-webui:/app/backend/data + + [Service] + Restart=always + TimeoutStartSec=1800 + + [Install] + WantedBy=default.target + - user: {{ username }} + - group: {{ username }} + - mode: 644 + - require: + - file: llm--create-quadlet-dir + +llm--enable-linger: + cmd.run: + - name: loginctl enable-linger user + - unless: loginctl show-user user | grep Linger=yes + +llm--reload-user-daemon: + cmd.run: + - name: | + systemctl --user daemon-reload + - runas: {{ username }} + - env: + - XDG_RUNTIME_DIR: /run/user/1000 + - DBUS_SESSION_BUS_ADDRESS: unix:path=/run/user/1000/bus + - require: + - cmd: llm--enable-linger + +{% endif %} diff --git a/user_salt/llm/llm--create-qube.sls b/user_salt/llm/llm--create-qube.sls new file mode 100644 index 0000000..60006cf --- /dev/null +++ b/user_salt/llm/llm--create-qube.sls @@ -0,0 +1,30 @@ +{% if grains['id'] == 'dom0' %} + +llm--create-qube: + qvm.vm: + - name: q-llm + - present: + - template: template-llm + - label: orange + - prefs: + - label: orange + - audiovm: + - guivm: dom0 + - netvm: sys-vpn-mullvad + - memory: 4000 + - maxmem: 8000 + - vcpus: 4 + - features: + - set: + - menu-items: xterm.desktop org.mozilla.firefox.desktop + - service: + - enable: + - shutdown-idle + - require: + - qvm: llm--create-template + +llm--extend-private-storage: + cmd.run: + - name: qvm-volume extend q-llm:private 10737418240 + +{% endif %} diff --git a/user_salt/llm/llm--create-template.sls b/user_salt/llm/llm--create-template.sls new file mode 100644 index 0000000..bf827af --- /dev/null +++ b/user_salt/llm/llm--create-template.sls @@ -0,0 +1,26 @@ +{% import "templates/versions.jinja" as version %} + +include: + - templates.templates--install-fedora-minimal + +{% if grains['id'] == 'dom0' %} + +llm--create-template: + qvm.clone: + - name: template-llm + - source: fedora-{{ version.fedora }}-minimal + - class: TemplateVM + - require: + - qvm: templates--install-fedora-{{ version.fedora }}-minimal + +llm--create-template-prefs: + qvm.prefs: + - name: template-llm + - label: orange + - netvm: + - audiovm: + - guivm: + - require: + - qvm: llm--create-template + +{% endif %} diff --git a/user_salt/llm/llm--install-packages.sls b/user_salt/llm/llm--install-packages.sls new file mode 100644 index 0000000..5d33fc8 --- /dev/null +++ b/user_salt/llm/llm--install-packages.sls @@ -0,0 +1,11 @@ +{% if grains['id'] == 'template-llm' %} + +llm--install-packages: + pkg.installed: + - pkgs: + - qubes-core-agent-networking + - qubes-app-shutdown-idle + - podman + - firefox + +{% endif %} diff --git a/user_salt/top.sls b/user_salt/top.sls index 8bbe26c..4b85dc9 100644 --- a/user_salt/top.sls +++ b/user_salt/top.sls @@ -131,3 +131,6 @@ user: dom0 or sys-whonix: - sys-whonix - common.kernel.kernel--disable-sound + + dom0 or template-llm or q-llm: + - llm -- 2.39.5