pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / misc / open-webui.nix
at 25.11-pre 4.3 kB view raw
1{ 2 config, 3 lib, 4 pkgs, 5 ... 6}: 7let 8 inherit (lib) types; 9 10 cfg = config.services.open-webui; 11in 12{ 13 options = { 14 services.open-webui = { 15 enable = lib.mkEnableOption "Open-WebUI server"; 16 package = lib.mkPackageOption pkgs "open-webui" { }; 17 18 stateDir = lib.mkOption { 19 type = types.path; 20 default = "/var/lib/open-webui"; 21 example = "/home/foo"; 22 description = "State directory of Open-WebUI."; 23 }; 24 25 host = lib.mkOption { 26 type = types.str; 27 default = "127.0.0.1"; 28 example = "0.0.0.0"; 29 description = '' 30 The host address which the Open-WebUI server HTTP interface listens to. 31 ''; 32 }; 33 34 port = lib.mkOption { 35 type = types.port; 36 default = 8080; 37 example = 11111; 38 description = '' 39 Which port the Open-WebUI server listens to. 40 ''; 41 }; 42 43 environment = lib.mkOption { 44 type = types.attrsOf types.str; 45 default = { 46 SCARF_NO_ANALYTICS = "True"; 47 DO_NOT_TRACK = "True"; 48 ANONYMIZED_TELEMETRY = "False"; 49 }; 50 example = '' 51 { 52 OLLAMA_API_BASE_URL = "http://127.0.0.1:11434"; 53 # Disable authentication 54 WEBUI_AUTH = "False"; 55 } 56 ''; 57 description = '' 58 Extra environment variables for Open-WebUI. 59 For more details see <https://docs.openwebui.com/getting-started/advanced-topics/env-configuration/> 60 ''; 61 }; 62 63 environmentFile = lib.mkOption { 64 description = '' 65 Environment file to be passed to the systemd service. 66 Useful for passing secrets to the service to prevent them from being 67 world-readable in the Nix store. 68 ''; 69 type = lib.types.nullOr lib.types.path; 70 default = null; 71 example = "/var/lib/secrets/openWebuiSecrets"; 72 }; 73 74 openFirewall = lib.mkOption { 75 type = types.bool; 76 default = false; 77 description = '' 78 Whether to open the firewall for Open-WebUI. 79 This adds `services.open-webui.port` to `networking.firewall.allowedTCPPorts`. 80 ''; 81 }; 82 }; 83 }; 84 85 config = lib.mkIf cfg.enable { 86 systemd.services.open-webui = { 87 description = "User-friendly WebUI for LLMs"; 88 wantedBy = [ "multi-user.target" ]; 89 after = [ "network.target" ]; 90 91 environment = { 92 STATIC_DIR = "."; 93 DATA_DIR = "."; 94 HF_HOME = "."; 95 SENTENCE_TRANSFORMERS_HOME = "."; 96 WEBUI_URL = "http://localhost:${toString cfg.port}"; 97 } // cfg.environment; 98 99 serviceConfig = { 100 ExecStart = "${lib.getExe cfg.package} serve --host \"${cfg.host}\" --port ${toString cfg.port}"; 101 EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile; 102 WorkingDirectory = cfg.stateDir; 103 StateDirectory = "open-webui"; 104 RuntimeDirectory = "open-webui"; 105 RuntimeDirectoryMode = "0755"; 106 PrivateTmp = true; 107 DynamicUser = true; 108 DevicePolicy = "closed"; 109 LockPersonality = true; 110 MemoryDenyWriteExecute = false; # onnxruntime/capi/onnxruntime_pybind11_state.so: cannot enable executable stack as shared object requires: Permission Denied 111 PrivateUsers = true; 112 ProtectHome = true; 113 ProtectHostname = true; 114 ProtectKernelLogs = true; 115 ProtectKernelModules = true; 116 ProtectKernelTunables = true; 117 ProtectControlGroups = true; 118 ProcSubset = "all"; # Error in cpuinfo: failed to parse processor information from /proc/cpuinfo 119 RestrictNamespaces = true; 120 RestrictRealtime = true; 121 SystemCallArchitectures = "native"; 122 UMask = "0077"; 123 CapabilityBoundingSet = ""; 124 RestrictAddressFamilies = [ 125 "AF_INET" 126 "AF_INET6" 127 "AF_UNIX" 128 ]; 129 ProtectClock = true; 130 ProtectProc = "invisible"; 131 SystemCallFilter = [ 132 "@system-service" 133 "~@privileged" 134 ]; 135 }; 136 }; 137 138 networking.firewall = lib.mkIf cfg.openFirewall { allowedTCPPorts = [ cfg.port ]; }; 139 }; 140 141 meta.maintainers = with lib.maintainers; [ shivaraj-bh ]; 142}