From f66cb82fef9d3f02cb1f72744e9493116aa41408 Mon Sep 17 00:00:00 2001
From: shivaraj-bh <sbh69840@gmail.com>
Date: Tue, 4 Jun 2024 16:07:06 +0530
Subject: [PATCH] nixos/open-webui: init

---
 nixos/modules/module-list.nix              |  1 +
 nixos/modules/services/misc/open-webui.nix | 94 ++++++++++++++++++++++
 nixos/tests/all-tests.nix                  |  1 +
 nixos/tests/open-webui.nix                 | 33 ++++++++
 4 files changed, 129 insertions(+)
 create mode 100644 nixos/modules/services/misc/open-webui.nix
 create mode 100644 nixos/tests/open-webui.nix

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 76fa899ef7cef..8bee5f3cb042d 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -767,6 +767,7 @@
   ./services/misc/octoprint.nix
   ./services/misc/ollama.nix
   ./services/misc/ombi.nix
+  ./services/misc/open-webui.nix
   ./services/misc/osrm.nix
   ./services/misc/owncast.nix
   ./services/misc/packagekit.nix
diff --git a/nixos/modules/services/misc/open-webui.nix b/nixos/modules/services/misc/open-webui.nix
new file mode 100644
index 0000000000000..de61ff80e9228
--- /dev/null
+++ b/nixos/modules/services/misc/open-webui.nix
@@ -0,0 +1,94 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib) types;
+
+  cfg = config.services.open-webui;
+in
+{
+  options = {
+    services.open-webui = {
+      enable = lib.mkEnableOption "Enable open-webui, an interactive chat web app";
+      package = lib.mkPackageOption pkgs "open-webui" { };
+
+      stateDir = lib.mkOption {
+        type = types.path;
+        default = "/var/lib/open-webui";
+        description = "State directory of open-webui.";
+      };
+
+      host = lib.mkOption {
+        type = types.str;
+        default = "localhost";
+        description = "Host of open-webui";
+      };
+
+      port = lib.mkOption {
+        type = types.port;
+        default = 8080;
+        description = "Port of open-webui";
+      };
+
+      environment = lib.mkOption {
+        type = types.attrsOf types.str;
+        default = { };
+        example = ''
+          {
+            OLLAMA_API_BASE_URL = "http://localhost:11434";
+            # Disable authentication
+            WEBUI_AUTH = "False";
+          }
+        '';
+        description = "Extra environment variables for open-webui";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.open-webui = {
+      description = "User-friendly WebUI for LLMs (Formerly Ollama WebUI)";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+
+      preStart = ''
+        mkdir -p ${cfg.stateDir}/static
+      '';
+
+      environment = {
+        STATIC_DIR = "${cfg.stateDir}/static";
+        DATA_DIR = "${cfg.stateDir}";
+      } // cfg.environment;
+
+      serviceConfig = {
+        ExecStart = "${lib.getExe cfg.package} serve --host ${cfg.host} --port ${toString cfg.port}";
+        WorkingDirectory = cfg.stateDir;
+        StateDirectory = "open-webui";
+        RuntimeDirectory = "open-webui";
+        RuntimeDirectoryMode = "0755";
+        PrivateTmp = true;
+        DynamicUser = true;
+        DevicePolicy = "closed";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = false; # onnxruntime/capi/onnxruntime_pybind11_state.so: cannot enable executable stack as shared object requires: Permission Denied
+        PrivateUsers = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectControlGroups = true;
+        ProcSubset = "all"; # Error in cpuinfo: failed to parse processor information from /proc/cpuinfo
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        SystemCallArchitectures = "native";
+        UMask = "0077";
+      };
+    };
+  };
+
+  meta.maintainers = with lib.maintainers; [ shivaraj-bh ];
+}
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 035c288c22e5c..e2f13a474ce68 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -691,6 +691,7 @@ in {
   outline = handleTest ./outline.nix {};
   image-contents = handleTest ./image-contents.nix {};
   openvscode-server = handleTest ./openvscode-server.nix {};
+  open-webui = runTest ./open-webui.nix;
   orangefs = handleTest ./orangefs.nix {};
   os-prober = handleTestOn ["x86_64-linux"] ./os-prober.nix {};
   osquery = handleTestOn ["x86_64-linux"] ./osquery.nix {};
diff --git a/nixos/tests/open-webui.nix b/nixos/tests/open-webui.nix
new file mode 100644
index 0000000000000..f10ef1ad98fb0
--- /dev/null
+++ b/nixos/tests/open-webui.nix
@@ -0,0 +1,33 @@
+{ lib, ... }:
+let
+  mainPort = "8080";
+in
+{
+  name = "open-webui";
+  meta = with lib.maintainers; {
+    maintainers = [ shivaraj-bh ];
+  };
+
+  nodes = {
+    machine =
+      { ... }:
+      {
+        services.open-webui = {
+          enable = true;
+          environment = {
+            # Requires network connection
+            RAG_EMBEDDING_MODEL = "";
+          };
+        };
+      };
+  };
+
+  testScript = ''
+    machine.start()
+
+    machine.wait_for_unit("open-webui.service")
+    machine.wait_for_open_port(${mainPort})
+
+    machine.succeed("curl http://127.0.0.1:${mainPort}")
+  '';
+}