Commit 8eaa249318bf
Changed files (3)
systems
kerkouane
systems/aomi/extra.nix
@@ -71,7 +71,7 @@
"deepseek-r1:7b" # Lightweight reasoning: MIT license (~4.5GB, 8-12 tok/s)
# Multimodal
- "qwen2.5-vl:7b" # Best vision: beats Llama 3.2 11B, Apache 2.0 (~6GB, 5-8 tok/s)
+ "qwen2.5vl:7b" # Best vision: beats Llama 3.2 11B, Apache 2.0 (~6GB, 5-8 tok/s)
# Quick Tasks
"phi3.5:3.8b" # Ultra-fast all-rounder: MIT license (~2.4GB, 15-25 tok/s)
@@ -127,7 +127,11 @@
# };
};
- # Ollama Prometheus Exporter (Docker-based)
+ # Ollama Prometheus Exporter (Docker-based, built locally)
+ systemd.tmpfiles.rules = [
+ "d /var/lib/ollama-exporter 0755 root root -"
+ ];
+
systemd.services.ollama-exporter = {
description = "Ollama Prometheus Exporter";
after = [
@@ -146,8 +150,11 @@
# Stop and remove existing container
"-${pkgs.docker}/bin/docker stop ollama-exporter"
"-${pkgs.docker}/bin/docker rm ollama-exporter"
- # Pull latest image
- "${pkgs.docker}/bin/docker pull ghcr.io/frcooper/ollama-exporter:latest"
+ # Copy source files to build directory (for future manual rebuilds if needed)
+ "${pkgs.coreutils}/bin/cp ${../../tools/ollama-exporter/Dockerfile} /var/lib/ollama-exporter/Dockerfile"
+ "${pkgs.coreutils}/bin/cp ${../../tools/ollama-exporter/ollama_exporter.py} /var/lib/ollama-exporter/ollama_exporter.py"
+ # Build image locally only if it doesn't exist (to avoid DNS timeout issues)
+ "-${pkgs.bash}/bin/bash -c '${pkgs.docker}/bin/docker image inspect ollama-exporter:local >/dev/null 2>&1 || ${pkgs.docker}/bin/docker build -t ollama-exporter:local /var/lib/ollama-exporter'"
];
ExecStart = ''
@@ -155,7 +162,7 @@
-p 8000:8000 \
-e OLLAMA_HOST=http://localhost:11434 \
--network host \
- ghcr.io/frcooper/ollama-exporter:latest
+ ollama-exporter:local
'';
ExecStop = "${pkgs.docker}/bin/docker stop ollama-exporter";
systems/aomi/openshift-port-forward.nix
@@ -79,6 +79,9 @@
# Allow Ollama API
tcp dport 11434 accept
+ # Allow Ollama Prometheus exporter
+ tcp dport 8000 accept
+
# Allow libvirt
tcp dport 16509 accept
systems/kerkouane/extra.nix
@@ -42,11 +42,21 @@ in
# TODO make it an option ? (otherwise I'll add it for all)
users.users.vincent.linger = true;
+ # Allow Caddy to access git repositories in vincent's home
+ users.users.caddy.extraGroups = [ "users" ];
+
# Install gitmal for self-hosted git web view
environment.systemPackages = with pkgs; [
gitmal
];
+ # Setup permissions for git directories (via systemd tmpfiles)
+ systemd.tmpfiles.rules = [
+ "d /home/vincent 0711 vincent users -" # Allow traversal to git directory
+ "d /home/vincent/git 0700 vincent users -" # Private git directory
+ "d /home/vincent/git/public 0755 vincent users -" # Public repositories only
+ ];
+
# Disable TPM2 (VPS has no TPM hardware)
security.tpm2.enable = lib.mkForce false;
@@ -103,6 +113,12 @@ in
iptables -A nixos-fw -p tcp -s 10.100.0.0/16 --dport 9000 -j nixos-fw-accept
'';
};
+ # Allow Caddy to access public git repositories only (override ProtectHome)
+ systemd.services.caddy.serviceConfig = {
+ ProtectHome = lib.mkForce "tmpfs"; # Allow read access to /home with bind mounts
+ BindReadOnlyPaths = [ "/home/vincent/git/public" ];
+ };
+
services.caddy = {
enable = true;
email = "vincent@sbr.pm";
@@ -418,6 +434,26 @@ in
${securityHeaders}
'';
+
+ # Self-hosted git repositories (public only)
+ "git.sbr.pm".extraConfig = ''
+ root * /home/vincent/git/public
+
+ # Serve .html.gz files when .html is requested
+ @htmlgz {
+ path *.html
+ file {path}.gz
+ }
+ rewrite @htmlgz {path}.gz
+ header @htmlgz Content-Type "text/html; charset=utf-8"
+ header @htmlgz Content-Encoding gzip
+
+ file_server browse {
+ hide .fancyindex README.md HEADER.md
+ }
+
+ ${securityHeaders}
+ '';
};
};