Compare commits
43 Commits
ai-worker-
...
feat/hyper
| Author | SHA1 | Date | |
|---|---|---|---|
| 09c8211e58 | |||
| 36359de6aa | |||
|
10b8565fd6 | ||
|
|
f672696b8e | ||
| 0980dca455 | |||
| 96bc20ab70 | |||
| 670ae4f002 | |||
| f785abfd49 | |||
| 6f44aa7f76 | |||
| 8d40f1691f | |||
|
|
2dd2e64986 | ||
|
|
23fc5e0597 | ||
| 0c9c33d735 | |||
| 0bb6890f1c | |||
| 9d5434425f | |||
| 1fb4320dd1 | |||
| 51e9f47fd4 | |||
| 06b3eb840f | |||
| 28ab52209c | |||
|
|
e6f7f0c263 | ||
|
|
5c136e0765 | ||
|
|
f722af7803 | ||
|
|
c07debf088 | ||
| 6806898f04 | |||
| 96e77c5ef2 | |||
| ff7303cf6a | |||
| 9e42f5d2cc | |||
| 614883f3c3 | |||
| 374d022593 | |||
| 9679846cdb | |||
| 4056f91ec6 | |||
| 1ba7d31d2f | |||
| c7e9f8a1e0 | |||
| bbe1a4a850 | |||
| 2b8316060c | |||
| cc2c62faf7 | |||
| 47f1ba6cf2 | |||
| db89881d75 | |||
| 0bb0a270e6 | |||
| 41256ccbde | |||
| e551f0e5c5 | |||
| b11d599f37 | |||
| 782f2fa9ed |
Submodule assets/compose updated: d97f1cb1e5...d3f2e3b7b9
14
flake.lock
generated
14
flake.lock
generated
@@ -70,11 +70,11 @@
|
||||
"pre-commit-hooks": "pre-commit-hooks"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1777373577,
|
||||
"narHash": "sha256-K0sXr8tRA9L1FGE8Khl42NR+DmZOY9gNYCP8ljX7TAo=",
|
||||
"lastModified": 1774721317,
|
||||
"narHash": "sha256-KS0ElyhZKdUFcfaxfwid3yi2Id3EP9i+dGL16/wx1T8=",
|
||||
"ref": "main",
|
||||
"rev": "faaa14a303dabc6309a52cc8e5eba86f9e29ccaf",
|
||||
"revCount": 19152,
|
||||
"rev": "d0190cff6f2314cc1c727ff113aea20e086f4bcc",
|
||||
"revCount": 19103,
|
||||
"type": "git",
|
||||
"url": "https://git.lix.systems/lix-project/lix"
|
||||
},
|
||||
@@ -178,11 +178,11 @@
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1777268161,
|
||||
"narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=",
|
||||
"lastModified": 1774386573,
|
||||
"narHash": "sha256-4hAV26quOxdC6iyG7kYaZcM3VOskcPUrdCQd/nx8obc=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76",
|
||||
"rev": "46db2e09e1d3f113a13c0d7b81e2f221c63b8ce9",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
||||
@@ -61,6 +61,7 @@
|
||||
./modules/nixos/services/open_code_server.nix
|
||||
./modules/nixos/services/ollama_init_custom_models.nix
|
||||
./modules/nixos/services/openclaw_node.nix
|
||||
./modules/nixos/services/hyperspace.nix
|
||||
./modules/nixos/security/ai-worker-restricted.nix
|
||||
./users/gortium.nix
|
||||
./users/ai-worker.nix
|
||||
|
||||
@@ -207,6 +207,7 @@
|
||||
ai = {
|
||||
path = self + "/assets/compose/ai";
|
||||
envFile = config.age.secrets.containers_env.path;
|
||||
ports = [ 22000 ]; # Syncthing TCP sync
|
||||
};
|
||||
|
||||
cloudstorage = {
|
||||
@@ -474,7 +475,7 @@
|
||||
services.openssh.settings = {
|
||||
PermitRootLogin = "no";
|
||||
MaxAuthTries = 3;
|
||||
MaxSessions = 10;
|
||||
MaxSessions = 20;
|
||||
LoginGraceTime = 30;
|
||||
ClientAliveInterval = 300;
|
||||
ClientAliveCountMax = 2;
|
||||
|
||||
134
modules/nixos/services/hyperspace.nix
Normal file
134
modules/nixos/services/hyperspace.nix
Normal file
@@ -0,0 +1,134 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
cfg = config.services.hyperspace;
|
||||
|
||||
hyperspacePkg = pkgs.stdenv.mkDerivation {
|
||||
name = "hyperspace-pods-${cfg.version}";
|
||||
src = pkgs.fetchurl {
|
||||
url = "https://github.com/hyperspaceai/aios-cli/releases/download/v${cfg.version}/aios-cli-x86_64-unknown-linux-gnu.tar.gz";
|
||||
hash = cfg.packageHash;
|
||||
};
|
||||
sourceRoot = ".";
|
||||
installPhase = ''
|
||||
mkdir -p $out/libexec $out/bin
|
||||
cp -r * $out/libexec/
|
||||
chmod +x $out/libexec/aios-cli
|
||||
ln -s $out/libexec/aios-cli $out/bin/hyperspace
|
||||
'';
|
||||
};
|
||||
in {
|
||||
options.services.hyperspace = {
|
||||
enable = lib.mkEnableOption "Hyperspace Pods P2P AI cluster agent";
|
||||
|
||||
version = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "5.45.30";
|
||||
description = "Hyperspace CLI version to download.";
|
||||
};
|
||||
|
||||
packageHash = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "sha256-f6fJ8t3exqtYwUD5j+WvD+Hm0oN/Eef0X+R9Rj23dE0=";
|
||||
description = ''
|
||||
SRI hash of the hyperspace release tarball (sha256-<base64>).
|
||||
Must be updated when version changes. Generate with:
|
||||
nix store prefetch-file --hash-algo sha256 \\
|
||||
https://github.com/hyperspaceai/aios-cli/releases/download/v{version}/aios-cli-x86_64-unknown-linux-gnu.tar.gz
|
||||
'';
|
||||
};
|
||||
|
||||
user = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "ai-worker";
|
||||
description = "System user to run the Hyperspace agent.";
|
||||
};
|
||||
|
||||
apiPort = lib.mkOption {
|
||||
type = lib.types.port;
|
||||
default = 8080;
|
||||
description = "OpenAI-compatible API port (configurable via --api-port).";
|
||||
};
|
||||
|
||||
profile = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "auto";
|
||||
description = ''
|
||||
Agent profile. Options: auto (auto-detect hardware), full (all capabilities),
|
||||
inference (GPU inference only), embedding (CPU embedding only),
|
||||
relay (lightweight relay), storage (storage + memory).
|
||||
'';
|
||||
};
|
||||
|
||||
autoStart = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
description = "Start the agent automatically on boot.";
|
||||
};
|
||||
|
||||
openFirewall = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
description = "Open P2P mesh (4001 TCP+UDP, 30301 TCP) and API port in the firewall.";
|
||||
};
|
||||
|
||||
extraArgs = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.str;
|
||||
default = [ ];
|
||||
description = "Extra arguments to pass to 'hyperspace start'.";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
systemd.services.hyperspace = {
|
||||
description = "Hyperspace Pods P2P AI Cluster Agent";
|
||||
after = [ "network.target" "network-online.target" ];
|
||||
wants = [ "network-online.target" ];
|
||||
wantedBy = lib.mkIf cfg.autoStart [ "multi-user.target" ];
|
||||
|
||||
path = with pkgs; [ bash coreutils ];
|
||||
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
User = cfg.user;
|
||||
Group = cfg.user;
|
||||
WorkingDirectory = "${hyperspacePkg}/libexec";
|
||||
ExecStart = "${hyperspacePkg}/bin/hyperspace start --profile ${cfg.profile} --api-port ${toString cfg.apiPort} ${lib.escapeShellArgs cfg.extraArgs}";
|
||||
Restart = "on-failure";
|
||||
RestartSec = 5;
|
||||
|
||||
# AMD MI50 (ROCm) device access
|
||||
DeviceAllow = [ "/dev/kfd rw" "/dev/dri rw" ];
|
||||
|
||||
# Supplementary groups for GPU/accelerator access
|
||||
SupplementaryGroups = [ "video" "render" ];
|
||||
|
||||
# Hardening
|
||||
NoNewPrivileges = true;
|
||||
ProtectHome = "tmpfs";
|
||||
ProtectSystem = "strict";
|
||||
PrivateTmp = true;
|
||||
PrivateDevices = false; # Needs /dev/kfd and /dev/dri
|
||||
};
|
||||
|
||||
environment = {
|
||||
HSA_OVERRIDE_GFX_VERSION = "9.0.6";
|
||||
HOME = "/home/${cfg.user}";
|
||||
};
|
||||
};
|
||||
|
||||
# Firewall ports for P2P mesh (libp2p 4001, chain 30301) and API
|
||||
networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ 4001 30301 cfg.apiPort ];
|
||||
networking.firewall.allowedUDPPorts = lib.mkIf cfg.openFirewall [ 4001 ];
|
||||
|
||||
# Add GPU/accelerator groups to the service user (persistent beyond service restarts)
|
||||
users.users = lib.mkIf (cfg.user == "ai-worker") {
|
||||
ai-worker = {
|
||||
extraGroups = [ "video" "render" ];
|
||||
};
|
||||
};
|
||||
|
||||
# ROCm override for AMD MI50 (gfx906) compatibility
|
||||
environment.variables.HSA_OVERRIDE_GFX_VERSION = "9.0.6";
|
||||
};
|
||||
}
|
||||
@@ -1,67 +1,87 @@
|
||||
{ pkgs, ... }: {
|
||||
systemd.services.init-ollama-model = {
|
||||
description = "Initialize LLM models with extra context in Ollama Docker";
|
||||
after = [ "docker-ollama.service" ];
|
||||
|
||||
# On s'assure que Docker tourne avant de lancer ce script
|
||||
after = [ "docker.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
script = ''
|
||||
# Wait for Ollama
|
||||
while ! ${pkgs.curl}/bin/curl -s http://localhost:11434/api/tags > /dev/null; do
|
||||
sleep 2
|
||||
done
|
||||
# Fonction de création asynchrone pour ne pas bloquer le démarrage
|
||||
(
|
||||
echo "Starting asynchronous Ollama initialization..."
|
||||
|
||||
# Attente d'Ollama (maximum 120 secondes pour éviter une boucle infinie)
|
||||
TIMEOUT=60
|
||||
COUNT=0
|
||||
while ! ${pkgs.curl}/bin/curl -s -f http://127.0.0.1:11434/api/tags > /dev/null; do
|
||||
if [ $COUNT -ge $TIMEOUT ]; then
|
||||
echo "Ollama did not become ready in time. Exiting."
|
||||
exit 1
|
||||
fi
|
||||
echo "Waiting for Ollama API to be reachable..."
|
||||
sleep 5
|
||||
COUNT=$((COUNT + 5))
|
||||
done
|
||||
|
||||
create_model_if_missing() {
|
||||
local model_name=$1
|
||||
local base_model=$2
|
||||
if ! ${pkgs.docker}/bin/docker exec ollama ollama list | grep -q "$model_name"; then
|
||||
echo "$model_name not found, creating from $base_model..."
|
||||
create_model_if_missing() {
|
||||
local model_name=$1
|
||||
local base_model=$2
|
||||
|
||||
# We use a custom TEMPLATE block to strip the 'currentDate' function
|
||||
# which is unsupported in Ollama 0.5.7 but present in Devstral's default manifest.
|
||||
${pkgs.docker}/bin/docker exec ollama sh -c "cat <<EOF > /root/.ollama/$model_name.modelfile
|
||||
# Vérification robuste via l'API HTTP d'Ollama plutôt que docker exec (évite les conflits de tty)
|
||||
if ! ${pkgs.curl}/bin/curl -s http://127.0.0.1:11434/api/tags | ${pkgs.jq}/bin/jq -e ".models[] | select(.name == \"$model_name\")" > /dev/null; then
|
||||
echo "$model_name not found, creating from $base_model..."
|
||||
|
||||
# Utilisation d'un fichier temporaire sur l'hôte pour l'injecter proprement dans Docker
|
||||
TMP_FILE=$(mktemp)
|
||||
cat <<EOF > "$TMP_FILE"
|
||||
FROM $base_model
|
||||
TEMPLATE \"\"\"{{- if .System }}
|
||||
TEMPLATE """{{- if .System }}
|
||||
[SYSTEM_PROMPT]
|
||||
{{ .System }}
|
||||
[/SYSTEM_PROMPT]
|
||||
{{- end }}
|
||||
{{- range .Messages }}
|
||||
{{- if eq .Role \"user\" }}
|
||||
{{- if eq .Role "user" }}
|
||||
[INST]
|
||||
{{ .Content }}
|
||||
[/INST]
|
||||
{{- else if eq .Role \"assistant\" }}
|
||||
{{- else if eq .Role "assistant" }}
|
||||
{{ .Content }}
|
||||
{{- end }}
|
||||
{{- end }}\"\"\"
|
||||
{{- end }}"""
|
||||
PARAMETER num_ctx 131072
|
||||
PARAMETER num_predict 4096
|
||||
PARAMETER num_keep 1024
|
||||
PARAMETER repeat_penalty 1.1
|
||||
PARAMETER top_k 40
|
||||
PARAMETER stop \"[INST]\"
|
||||
PARAMETER stop \"[/INST]\"
|
||||
PARAMETER stop \"</s>\"
|
||||
EOF"
|
||||
${pkgs.docker}/bin/docker exec ollama ollama create "$model_name" -f "/root/.ollama/$model_name.modelfile"
|
||||
${pkgs.docker}/bin/docker exec ollama rm "/root/.ollama/$model_name.modelfile"
|
||||
else
|
||||
echo "$model_name already exists, skipping."
|
||||
fi
|
||||
}
|
||||
PARAMETER stop "[INST]"
|
||||
PARAMETER stop "[/INST]"
|
||||
PARAMETER stop "</s>"
|
||||
EOF
|
||||
|
||||
# Create Nemotron
|
||||
create_model_if_missing "nemotron-3-nano:30b-128k" "nemotron-3-nano:30b"
|
||||
|
||||
# Create Devstral
|
||||
create_model_if_missing "devstral-small-2:24b-128k" "devstral-small-2:24b"
|
||||
|
||||
# create_model_if_missing "qwen2.5-coder:32b-128k" "qwen2.5-coder:32b"
|
||||
|
||||
# create_model_if_missing "mistral-large-planner:123b" "mistral-large:123b-instruct-v2407-q4_K_S"
|
||||
# Copie et création dans le conteneur
|
||||
${pkgs.docker}/bin/docker cp "$TMP_FILE" ollama:/tmp/model.modelfile
|
||||
${pkgs.docker}/bin/docker exec ollama ollama create "$model_name" -f /tmp/model.modelfile
|
||||
${pkgs.docker}/bin/docker exec ollama rm /tmp/model.modelfile
|
||||
rm -f "$TMP_FILE"
|
||||
else
|
||||
echo "$model_name already exists, skipping."
|
||||
fi
|
||||
}
|
||||
|
||||
# Create Nemotron
|
||||
create_model_if_missing "nemotron-3-nano:30b-128k" "nemotron-3-nano:30b"
|
||||
|
||||
# Create Devstral
|
||||
create_model_if_missing "devstral-small-2:24b-128k" "devstral-small-2:24b"
|
||||
|
||||
) &
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
Type = "forking"; # Permet à systemd de savoir que le script passe en arrière-plan via '&'
|
||||
User = "root";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
9
secrets/wireguard_preshared_key.age
Normal file
9
secrets/wireguard_preshared_key.age
Normal file
@@ -0,0 +1,9 @@
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSA3VG9Z
|
||||
MVFPVFc2VVJ3d0h0dmtBUnI3WHl2SzUxTkRZbjFCaGloWmV3dnd3ClcxdnVPeGd6
|
||||
SU4zR0Q0K1dtVjRRVHd0VW5XSFI0dVFpTjZnYk1DNjRxTVEKLT4gQzlgRy1ncmVh
|
||||
c2UKeUozOWgyUytSTVF0NjY2STBEb2VadwotLS0gblI3bmJCUWxxU3QrYTEyVFBI
|
||||
Snc4NC9rTkh0NnZYbUtxUE9hRWRkelpmMAq58fmH6cK13GeD7wGLxKmx10hmJeW4
|
||||
b7KqnCD1ZP7uG85s32xzVRwRG8RrG4xZo5nR9Mrtg1CoTSFfUGeFnf5xveN+Ej0X
|
||||
wDVB1LwC+Q==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
11
secrets/wireguard_private_key.age
Normal file
11
secrets/wireguard_private_key.age
Normal file
@@ -0,0 +1,11 @@
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSA5dzVG
|
||||
WUNvT3NlRmcrWS81bzJqSWlTekVYaDFFTE10SkI2dEgzaGpxcUI4Cmk5Y0FGYTRZ
|
||||
K0NGYzY3VUp4aS9ZZGRmWTgybDJFUURva2pZNmVOS3QxdEUKLT4gPnVRTCtldGMt
|
||||
Z3JlYXNlCk04OTJZeFRNeDI5aGpMVTk1ZTE0Y2FMMnFEMjlJalJpMHRlaTE4ZWIx
|
||||
d2lCRGQ5RHVjcktOMGJCb1VERlNWcTYKaSt0L1Z6dVJ0QWIyZkhsYzFEVjZSQWUr
|
||||
ZWpwVlo1TmhoUFJZdkEvR0gxNlVhcXF2ZTRnCi0tLSBLcmM2MThNVkdWclpHUXRr
|
||||
VTF6QVk2WUZlTXpZMVNLMlpBOFc3M1o5WjZzCs9xbPlIX+u5vRSQ/z9utu+I9S2c
|
||||
02DOsIb1kzxzb1OK91b8Kh4JucQSq3qkyEvRucsNn5QW8hIHDnRuND6EbPyN7p4S
|
||||
YB/F0dxSqgnq
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
Reference in New Issue
Block a user