feat(access): a llama

2026-02-09 04:19:19 -08:00 · 2024-09-12 15:25:05 -07:00 · 2024-09-12 15:25:05 -07:00 · 7bf1ce71de
commit 7bf1ce71de
parent e3b6048e32
14 changed files with 323 additions and 6 deletions
--- a/nixos/access/nextjs-ollama.nix
+++ b/nixos/access/nextjs-ollama.nix
@ -0,0 +1,103 @@
+{
+  config,
+  gensokyo-zone,
+  lib,
+  ...
+}: let
+  inherit (gensokyo-zone.lib) bindToAddress;
+  inherit (lib.modules) mkIf mkBefore mkDefault;
+  inherit (lib.strings) escapeRegex;
+  inherit (config.services) tailscale;
+  cfg = config.services.nextjs-ollama-llm-ui;
+  upstreamName = "ollama'nextjs";
+in {
+  services.nextjs-ollama-llm-ui = {
+    #ollamaUrl = mkDefault "https://${virtualHost.serverName}/ollama";
+  };
+  services.nginx = {
+    upstreams'.${upstreamName}.servers = {
+      local = {
+        enable = mkDefault cfg.enable;
+        addr = mkDefault (bindToAddress {} cfg.hostname);
+        port = mkIf cfg.enable (mkDefault cfg.port);
+      };
+    };
+    virtualHosts = let
+      name.shortServer = "lm";
+      copyFromVhost = mkDefault "llama";
+      vouch = {
+        enable = true;
+        requireAuth = false;
+      };
+      subFilterLocation = { virtualHost, ... }: mkIf (virtualHost.locations ? "/ollama/") {
+        proxy.headers.set.Accept-Encoding = "";
+        extraConfig = ''
+          sub_filter_once off;
+          sub_filter_types application/javascript;
+          sub_filter '${cfg.ollamaUrl}' '/ollama';
+        '';
+      };
+      proxyLocation = {
+        imports = [ subFilterLocation ];
+        proxy = {
+          enable = true;
+          upstream = mkDefault upstreamName;
+        };
+      };
+      locations = {
+        "~ ^/llama$" = {
+          return = mkDefault "302 /llama/";
+        };
+        "/llama/" = {virtualHost, ...}: {
+          imports = [ proxyLocation ];
+          vouch.requireAuth = mkIf virtualHost.vouch.enable true;
+          proxy.path = "/";
+        };
+        "/_next/" = {virtualHost, ...}: {
+          imports = [ proxyLocation ];
+          vouch.requireAuth = mkIf virtualHost.vouch.enable true;
+        };
+        "/_next/static/" = _: {
+          imports = [ proxyLocation ];
+        };
+        "~ '^/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'" = {
+          return = mkDefault "302 /llama$request_uri";
+        };
+        "/" = {virtualHost, ...}: {
+          extraConfig = mkBefore ''
+            if ($http_referer ~ '^https?://${escapeRegex virtualHost.serverName}/llama/') {
+              return 302 /llama$request_uri;
+            }
+          '';
+          return = mkDefault "404";
+        };
+      };
+    in {
+      llama = {
+        inherit name locations vouch;
+        ssl.force = true;
+      };
+      llama'local = {
+        inherit locations;
+        name = {
+          inherit (name) shortServer;
+          includeTailscale = false;
+        };
+        ssl.cert = {
+          inherit copyFromVhost;
+        };
+        local.enable = mkDefault true;
+      };
+      llama'tail = {
+        inherit locations;
+        enable = mkDefault tailscale.enable;
+        name = {
+          inherit (name) shortServer;
+          qualifier = mkDefault "tail";
+        };
+        ssl.cert.copyFromVhost = "llama'local";
+        local.enable = mkDefault true;
+      };
+    };
+  };
+}
--- a/nixos/access/ollama.nix
+++ b/nixos/access/ollama.nix
@ -0,0 +1,81 @@
+{
+  config,
+  gensokyo-zone,
+  lib,
+  ...
+}: let
+  inherit (gensokyo-zone.lib) bindToAddress;
+  inherit (lib.modules) mkIf mkDefault;
+  inherit (config.services) tailscale;
+  cfg = config.services.ollama;
+  requestTimeout = "${toString (60 * 60)}s";
+  upstreamName = "ollama'access";
+in {
+  services.nginx = {
+    upstreams'.${upstreamName}.servers = {
+      local = {
+        enable = mkDefault cfg.enable;
+        addr = mkDefault (bindToAddress {} cfg.host);
+        port = mkIf cfg.enable (mkDefault cfg.port);
+      };
+      service = {upstream, ...}: {
+        enable = mkIf upstream.servers.local.enable (mkDefault false);
+        accessService.name = "ollama";
+        #settings.fail_timeout = mkDefault requestTimeout;
+      };
+    };
+    virtualHosts = let
+      name.shortServer = "lm";
+      copyFromVhost = mkDefault "llama";
+      locations = {
+        "/ollama/" = {virtualHost, ...}: {
+          vouch.requireAuth = mkIf virtualHost.vouch.enable (mkDefault true);
+          proxy = {
+            enable = true;
+            upstream = upstreamName;
+            path = "/";
+          };
+          extraConfig = ''
+            proxy_buffering off;
+            proxy_read_timeout ${requestTimeout};
+          '';
+          headers.set.Access-Control-Allow-Origin = "https://${virtualHost.serverName}/llama/";
+        };
+        "/".return = mkDefault "404";
+      };
+      vouch = {
+        enable = true;
+        requireAuth = false;
+      };
+    in {
+      llama = {
+        inherit name locations vouch;
+        ssl.force = true;
+      };
+      llama'local = {
+        inherit locations vouch;
+        name = {
+          inherit (name) shortServer;
+          includeTailscale = false;
+        };
+        ssl = {
+          force = true;
+          cert = {
+            inherit copyFromVhost;
+          };
+        };
+        local.enable = mkDefault true;
+      };
+      llama'tail = {
+        inherit locations;
+        enable = mkDefault tailscale.enable;
+        name = {
+          inherit (name) shortServer;
+          qualifier = mkDefault "tail";
+        };
+        ssl.cert.copyFromVhost = "llama'local";
+        local.enable = mkDefault true;
+      };
+    };
+  };
+}