diff options
| author | Pol Dellaiera <pol.dellaiera@protonmail.com> | 2024-05-03 19:53:38 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-05-03 19:53:38 +0200 |
| commit | 9afbfec80eb49ae9997b79cbc5250bf070146719 (patch) | |
| tree | 84bc905b6b768b14694dca25c78cc3a5a5f4d70b | |
| parent | 5d01eb5c0e93b223455610173edbed8496cbf5cd (diff) | |
| parent | 968f4a58315e042fdad9830d985202d81f104fae (diff) | |
Merge pull request #308859 from NixOS/backport-305076-to-release-23.11
[Backport release-23.11] nixos/ollama: add options to bypass sandboxing
| -rw-r--r-- | nixos/modules/services/misc/ollama.nix | 38 |
1 files changed, 36 insertions, 2 deletions
diff --git a/nixos/modules/services/misc/ollama.nix b/nixos/modules/services/misc/ollama.nix index 17f5d92c1c86..a8f86606a624 100644 --- a/nixos/modules/services/misc/ollama.nix +++ b/nixos/modules/services/misc/ollama.nix @@ -21,6 +21,8 @@ in example = "/home/foo"; description = '' The home directory that the ollama service is started in. + + See also `services.ollama.writablePaths` and `services.ollama.sandbox`. ''; }; models = lib.mkOption { @@ -29,6 +31,37 @@ in example = "/path/to/ollama/models"; description = '' The directory that the ollama service will read models from and download new models to. + + See also `services.ollama.writablePaths` and `services.ollama.sandbox` + if downloading models or other mutation of the filesystem is required. + ''; + }; + sandbox = lib.mkOption { + type = types.bool; + default = true; + example = false; + description = '' + Whether to enable systemd's sandboxing capabilities. + + This sets [`DynamicUser`]( + https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#DynamicUser= + ), which runs the server as a unique user with read-only access to most of the filesystem. + + See also `services.ollama.writablePaths`. + ''; + }; + writablePaths = lib.mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "/home/foo" "/mnt/foo" ]; + description = '' + Paths that the server should have write access to. + + This sets [`ReadWritePaths`]( + https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ReadWritePaths= + ), which allows specified paths to be written to through the default sandboxing. + + See also `services.ollama.sandbox`. ''; }; listenAddress = lib.mkOption { @@ -54,8 +87,8 @@ in type = types.attrsOf types.str; default = { }; example = { - HOME = "/tmp"; OLLAMA_LLM_LIBRARY = "cpu"; + HIP_VISIBLE_DEVICES = "0,1"; }; description = '' Set arbitrary environment variables for the ollama service. @@ -82,7 +115,8 @@ in ExecStart = "${lib.getExe ollamaPackage} serve"; WorkingDirectory = cfg.home; StateDirectory = [ "ollama" ]; - DynamicUser = true; + DynamicUser = cfg.sandbox; + ReadWritePaths = cfg.writablePaths; }; }; |