about summary refs log tree commit diff
path: root/nixos/modules/services/misc/ollama.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nixos/modules/services/misc/ollama.nix')
-rw-r--r--nixos/modules/services/misc/ollama.nix51
1 files changed, 45 insertions, 6 deletions
diff --git a/nixos/modules/services/misc/ollama.nix b/nixos/modules/services/misc/ollama.nix
index 30c2b26d8322e..c0341984aa351 100644
--- a/nixos/modules/services/misc/ollama.nix
+++ b/nixos/modules/services/misc/ollama.nix
@@ -21,6 +21,8 @@ in
         example = "/home/foo";
         description = ''
           The home directory that the ollama service is started in.
+
+          See also `services.ollama.writablePaths` and `services.ollama.sandbox`.
         '';
       };
       models = lib.mkOption {
@@ -29,6 +31,37 @@ in
         example = "/path/to/ollama/models";
         description = ''
           The directory that the ollama service will read models from and download new models to.
+
+          See also `services.ollama.writablePaths` and `services.ollama.sandbox`
+          if downloading models or other mutation of the filesystem is required.
+        '';
+      };
+      sandbox = lib.mkOption {
+        type = types.bool;
+        default = true;
+        example = false;
+        description = ''
+          Whether to enable systemd's sandboxing capabilities.
+
+          This sets [`DynamicUser`](
+          https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#DynamicUser=
+          ), which runs the server as a unique user with read-only access to most of the filesystem.
+
+          See also `services.ollama.writablePaths`.
+        '';
+      };
+      writablePaths = lib.mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+        example = [ "/home/foo" "/mnt/foo" ];
+        description = ''
+          Paths that the server should have write access to.
+
+          This sets [`ReadWritePaths`](
+          https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ReadWritePaths=
+          ), which allows specified paths to be written to through the default sandboxing.
+
+          See also `services.ollama.sandbox`.
         '';
       };
       listenAddress = lib.mkOption {
@@ -40,22 +73,27 @@ in
         '';
       };
       acceleration = lib.mkOption {
-        type = types.nullOr (types.enum [ "rocm" "cuda" ]);
+        type = types.nullOr (types.enum [ false "rocm" "cuda" ]);
         default = null;
         example = "rocm";
         description = ''
           What interface to use for hardware acceleration.
 
-          - `rocm`: supported by modern AMD GPUs
-          - `cuda`: supported by modern NVIDIA GPUs
+          - `null`: default behavior
+            if `nixpkgs.config.rocmSupport` is enabled, uses `"rocm"`
+            if `nixpkgs.config.cudaSupport` is enabled, uses `"cuda"`
+            otherwise defaults to `false`
+          - `false`: disable GPU, only use CPU
+          - `"rocm"`: supported by most modern AMD GPUs
+          - `"cuda"`: supported by most modern NVIDIA GPUs
         '';
       };
       environmentVariables = lib.mkOption {
         type = types.attrsOf types.str;
         default = { };
         example = {
-          HOME = "/tmp";
           OLLAMA_LLM_LIBRARY = "cpu";
+          HIP_VISIBLE_DEVICES = "0,1";
         };
         description = ''
           Set arbitrary environment variables for the ollama service.
@@ -80,9 +118,10 @@ in
       };
       serviceConfig = {
         ExecStart = "${lib.getExe ollamaPackage} serve";
-        WorkingDirectory = "%S/ollama";
+        WorkingDirectory = cfg.home;
         StateDirectory = [ "ollama" ];
-        DynamicUser = true;
+        DynamicUser = cfg.sandbox;
+        ReadWritePaths = cfg.writablePaths;
       };
     };
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-09-27 19:52:59 +0000