From 9a53151fdd5b85ccb4e82b4682cc330ad034af60 Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Fri, 26 Jan 2024 00:31:54 +0100
Subject: [PATCH] feat: add ollama ai server

---
 hosts/sire/default.nix                        |   1 +
 hosts/sire/guests/ai.nix                      |  18 ++++++++++++++++++
 hosts/sire/secrets/ai/host.pub                |   1 +
 .../sentinel/loki-basic-auth-hashes.age       | Bin 2119 -> 2237 bytes
 .../promtail-loki-basic-auth-password.age     | Bin 0 -> 487 bytes
 .../sire-ai/telegraf-influxdb-token.age       |   9 +++++++++
 .../wireguard/proxy-sentinel/keys/sire-ai.age |  10 ++++++++++
 .../wireguard/proxy-sentinel/keys/sire-ai.pub |   1 +
 .../proxy-sentinel/psks/sentinel+sire-ai.age  |   9 +++++++++
 9 files changed, 49 insertions(+)
 create mode 100644 hosts/sire/guests/ai.nix
 create mode 100644 hosts/sire/secrets/ai/host.pub
 create mode 100644 secrets/generated/sire-ai/promtail-loki-basic-auth-password.age
 create mode 100644 secrets/generated/sire-ai/telegraf-influxdb-token.age
 create mode 100644 secrets/wireguard/proxy-sentinel/keys/sire-ai.age
 create mode 100644 secrets/wireguard/proxy-sentinel/keys/sire-ai.pub
 create mode 100644 secrets/wireguard/proxy-sentinel/psks/sentinel+sire-ai.age
diff --git a/hosts/sire/default.nix b/hosts/sire/default.nix
index 51af57a..5cd4236 100644
--- a/hosts/sire/default.nix
+++ b/hosts/sire/default.nix
@@ -132,6 +132,7 @@
       // mkMicrovm "immich" {
         enableStorageDataset = true;
       }
+      // mkMicrovm "ai" {}
       #// mkMicrovm "minecraft"
       #// mkMicrovm "firefly"
       #// mkMicrovm "fasten-health"
diff --git a/hosts/sire/guests/ai.nix b/hosts/sire/guests/ai.nix
new file mode 100644
index 0000000..bd71d1b
--- /dev/null
+++ b/hosts/sire/guests/ai.nix
@@ -0,0 +1,18 @@
+{
+  microvm.mem = 1024 * 16;
+  microvm.vcpu = 20;
+
+  networking.firewall.allowedTCPPorts = [11434];
+
+  environment.persistence."/state".directories = [
+    {
+      directory = "/var/lib/private/ollama";
+      mode = "0700";
+    }
+  ];
+
+  services.ollama = {
+    enable = true;
+    listenAddress = "0.0.0.0:11434";
+  };
+}
diff --git a/hosts/sire/secrets/ai/host.pub b/hosts/sire/secrets/ai/host.pub
new file mode 100644
index 0000000..e4074cd
--- /dev/null
+++ b/hosts/sire/secrets/ai/host.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGD35UWbMDS/Asz1xNAf23XUqbAYsCxJFMuujfcFSENA
diff --git a/secrets/generated/sentinel/loki-basic-auth-hashes.age b/secrets/generated/sentinel/loki-basic-auth-hashes.age
index d641be9f9105d275fa59e88224f56d2f386693f9..3846e0c7f5fe55f81fd0944fa8c6d8ed54fe3ad8 100644
GIT binary patch
delta 2229
zcmV;m2uk<I5WNwQAb)B>HAiqzWOqk2X*pUsG+0PtNLDg+GI2t1I6+caQAJr<Sx$E}
zXD?7|I0`d%P(eyZFm_USOIA-Zc`#FFD^YY)WO{OPO)*P1N^MDcZ&gBYY)wjGSqd#a
zAaH4REpRe5HXwL$Q)M_&AVD`rGiWbKH%Ty1RcKjyL}fv1M1L|zY)EosGGR<`ZAV&6
zG)OdLVo_5|PDlz`c|uiIHE>x%Wk_;&dQDVGY+7SuQeseMPgg=(PGVS1b$Ud4H&|6S
zGF1vKJ|K2SZ7(fna%Ew2WguNqAU#kDR7-R#Ph&<_NOCtqXi{oYD?~{vHZfLNT1Plf
zGC^}Ib!b<3Xn%7?QZ-U=S}-*@D@12cSV3<_b45{ac49XxZVFIPYhihFMsYD!abq!e
z3N0-yAaqqjcXVoWdTViYb!0hsZ$U^+Rz@&db8b&eK~qk7R5DL^W^zYlMq+4l3P@Z+
z&>)CrPPb(XZu+apnBM+%#hTp1O^?cpeUl&gMa?X^_J3L-xr=lE+Or!J1HY1}v|U*y
zyyg(fia!WVP&6J1_t#V=s`pwk4ah&M7hr0*CzSI3Lz9>lGmzLHw%s^v?Q0*8z;e6K
zl#D5e9Wg>k0<sOEB%gTfMY}*Gu0%ifgQp^9W%61?pGO>75OO+&U{&LC-AvK^9KC<G
z9mnNu{(o`d24+<{H_>j%4^XwgrZm_XtZvl#abhfd<y1y<^W@ibL_k&{XaB55!#kHA
z1qa3IkaHz@6w(~uZsO6pYBw6Hp>}bHM=bUM^6Wn&N`#s#LN{A*%m4hTcJr_$*S(OL
z7%$Z|Ten6IDyKaeX7Y7tZCG+c9DJE{pHVV%aDT4TFhgB#^Fljtz9tKh<23%N$0_km
zaj!u*h#-A6Z14YHIjJX^2U}iZB{qSbm-hd`HgA;@SOE}Csn5T%ZjHW)lN~lk>5?A#
zb9Gz=NCrCW6F^`YRws8He0@vDMP;8OcGnK7V!SsMjA*&z_U#m6U?;)#=eYfa7CH8V
zTz@<aYXIhgH%iO+vU7I$RHHaw3B1Tt8K9RTlv7q)TRu~h^V$5lRLRdIf5tH(55a7i
zIlP;|YJ(#d==XWO5h%S~zYnWUV5n;0$=zc74Yy7ypHEL}NTcoMIO_7=24wcNNPsH;
zfPx%<3=>{5hF>|tqL#o%GAsJfIkgz}bbrtREBn3sn}2+RlqNEhz5I~pk0X+_Ee7I3
z-Q}0hPtLK~iW%dJH`$sAih4%cl0GyP8pV^}Ip1p0Ia5Nu0uDFo5a$u%p1O1#Ku0Nk
zxVXs)GrV6!7Xghal{bnCkiH)o9yR_l=zPy9(p1@B!#D)ud{-3l)cgmw0;#(d7k@LO
zpm`ehcap3#$=cFL;fB~MX-k8}R3^UW-pKAA<?#<;E60LwR3)Kbie@-BLXqs|HSG5Q
zKX1S$fR3&fn{w(LxwG237iYwxrD%FI71%!pzft(92%X1EEuo5&+Ke2F=lRR`r%ve>
z&;0zafSEB~HS;B4Y5Thp6;ZHW#((KOw%0Wpu%-VzETv<o@02FED_2!UL?b7^Kx^7|
znU8;pwiO09-JKC(f)oXcu^D5c0k;VQYH$vfB<D#V#(Zpn<P%LkU<jMR#de-eaW*Xk
z_8g1p%AzUTAVPMp=B6f!8UH%V8Vt!P2j@MSkAY3oKfF+QyF`xMP<#NuG=JC62XiL>
zo!B4j(X!=cERu@D>yerX_B6xa&J{d2)~qkWk6g8)!=SIlm#>iPC8qATSZVK0&-K>v
zuT$B3R5U{hRGJZ)3=YpAW}<1j{jFf7J&i;i^!|!rf;+>eGD2QQwBTgAsC|^wkX9kU
z@y@K}upE->@(qqx1Nwb8qkmnr&xIu@jD3tv|LY$TJ@_==r`{#77pzvxRRgnAypFcD
zKZdIBD4-l7vhv0qOp7SLDPZgv+&WmfALTZ2`H@6eS!mop9*K9!j1~+-z@$4JCHr`O
z(?=eadofNx6d@m&8Ab%*32<U&56vKy+WezIh4rFimN=X{=mq=WX@At&R?7f_AhHC3
zBdSnePkyO-uj{T#c*Q#LTyEFcjhJrMr%|)FM3}p5=Asr|kV4MzHIf01!z8smL{V*S
z!HhM&3^asN`ccKCTlJjn(C*3y&-Gjo8vG9ymMmlOj3&>)w_F)z$|WH-&AL9C@NM5}
znBPz3EIg7k2BRdI=YOn-3#KUz{5^VrP$1J5_Ox4@QHZkx+KT`xh7y}uUi}sDSj!%P
z_|^7ITC@Y3WnTR*`)!VY%PMy%Kpz-|oW@TvOfzj+FZ{$lN5kbK=F$6e#m-xXABUNR
zSvRy4W3=RQ8L=;#&vc~N*Q|lSo5)J|#Z5$;XF-jfZWyVL5`WXH@uOfMqeKm`Bbe~R
z7lj~G^onhrL^I1<SBhC8bKbO~dq1uoIN6WKH{~7o_%Refo{=zJNY2=s%~3FUsbL_w
zd$wq)jj^_c?>;_B963)66oK3^DGh`&hd*w-rGJOrsch7gE;I`PS*7=zhSWT@4(SB~
zr9@sIj+Kid41a)FfJxxenuEW#LSS^z|LoT|*(Wql<i0crR{NVAY=7z0vmFb#4=#LK
z5Z3_o(6tv^&pzCemt4us&Nm0KPB^ngk7Rvw4A-%nv`klm;Q#S1lsvQx7PAuHC}f~D
z@TE4}VtG#v5*r4pjcxeqdCJC^8(cYJWG%#t=3n>CaDQgh+N-@$O}p+8cF|}RRI3{I
zJF|OPutv;{2Z5DO$A1i^kk2CmBlbwME0)46(q}d0VJGAx5ciNY##k)1)TF*G|0%BY
z7Wxf9j8j~Cs-P2D+mo~a?4my~8{T5O=J*_U+%vrEe>xyrQ2TmRARGVF?Sl*{-JtzA
zgeEh4*)ICcdz#=vPdnU=Tq2a=71#rn2iC%k8ZZCnQ={W{$--<wqZ4xUlnMJWNgJVo
DQf&w{

delta 2110
zcmV-E2*LNg5yudaAb)miXizmxIZ$$WNp?b7X-R5iXi#NyVR2P<NpeC+LrzUgRaHlA
zICNobK?+iDY<M_#LPvFFYEoHhMQ&7aOf*b(O-)T@GInceOJihhNpxgZWid!ZYYHts
zAaH4REpRe5HXwL$Q)M_&AVGOXHBfS4SW`GRQg3>1RyRypS$}#=D`IXdQB5~la(7m6
zL`zCCGcssbWkm{bL`qX^VMQx-N<~aTD^yl^S9WwVcR^`GGgozaHB~fKa%pZxIYDY^
zY*h*^J|K2JTsLrIEoX9NVRL05P(w{EBp_f#J}@acAax31QB_hgNH}hKV`@oRHd0Sn
zD^gixcV=2xG=F7sHdRkcD=TbfWL9i7WMz6sPIF0lF;z=(YIh1PEiE8rMr3eINpCnx
zPdGVHXi8ZtGi6FpadBr$Fi>J<MKN<SNiStjOmS*eOLGb%8_?|*lH?I%pd_rAAc^a9
z8j(CG?c^eTyl>2T%ieDTG2sF?RW!VRKzBZ2{~KI}tACsBS*(qEJEROkGR9Ii@oR<R
zO9rW%on(*0`j%`X4P1=U9cI~<=JXA)YfI^|x@F^A9S&U{wi*Ip8C}lZSAY(q*9Q=B
zoi0h+!AJu=YBJ=Ail^V}hv`<XP{YM}*{iJZ9$;|k=j%@-g?}*DeS4`jGr1vUE$yvz
z!W*ilOMevMoz6S2G^u9tnlhXl@6<ou2^79v8kieSixue&T7*nqy*bLR9=#A0kthP{
zRR@67AeA#>lTJSF%I<nK@T9%0myz@j{vnTH{sk`WcB%0Y(vToszLO9)1_H(3Z57X^
z1Cp#12YX^o#4(xh+#w1SR%_K{&=<Ll9|8MM>VLCzNq&yflvC>3elGZoZCJX8>D=+m
z`)SwiuV7+R68L0{N%`_V!<mhhsN6%ftCgO6gKvW2f?tdBg&`;j3NZo}?JEDH12wzp
z(!uVz(~Zi;4_MgsAFz+Q!DzXGZE`_NVm$HF)6lU+M^6XGqn+un!Dl+q{+}Y|t3hPA
ztA7cNUay4L9k~Qn3t*&yh|p{x-A=?C`{UDoTvxSRXOF8fV9#eARm|oau@LNT1+}cY
zTiQ<DWXCZB+UW*u9Wc9w$yxFExYsZ(5sR@T^xZviYzTGOK5$A=5qpy(qZ{it<2-()
z%J+&=)=ER3i{104-@b~m!NyDZzrz=W8Gj<M$4G+KmMeZF8diAH@8iMT4!NnSkV_16
z_AOduQ?N~U*Y+wU4|a#ulr`rs?mmYc_3N3!hEl69a9wWwyh}A+l1SLm6$z6@sK~zd
z^TW<ul8Dn8VTEA7P9uR36Y_}4O~p<YAkE);4vWXsckr-RRY}egt8r8)nU`iWa)0QP
ztRP|l?RtaHzyJzHwR7FsP$Ek$lcAoe3T6G0)pDhZL}?iNsOI@p!{=~>V^8pRjF3T}
z#!!(zq4iLc4y#~^>^ZE^Irw~u9EpIPT`&Z{@FT49j2)DSV`BYKyf%mMjewcCMMhdd
z)R-<1t|wW1hhjG<FLgo-1#oP<Du2(X(&bxKLwm=PQCz!AtS02+@@$URDpN=ke%B(O
z8~SE8CJ*71|Mn>uof#JJMpNHzxYXo+YBL0JAj(#6zhwr<cElhlR|?~~<@=g6ay1s0
z62R7{`NOb|0pp!JJ>M1mDCFlCn~0{hb?q(83tax#^Nw#rUDq5bNR{MiI)C+*Af|&g
zY`zoN&fB+cH=_VV)|06{_&0)jU6pE_8>$gVdx^6-X;kI&yyO}mlIGT$8h-=e5C0SE
z;q}lW{Q&{XyerP>lq0rq_h!~}Hk;_?qHr$1EYF!{3UB7>lf?ZSo$>KC5I#lxmAYoe
zSDZR`uW%zT1ov-t%ml0D*nf)C;6Y}gfN}yOL|<F;SeX^`?&;4~+%g)q_^e&a49mmd
z){E^SrI^>NIY51;1qE9^7K}=GW1A<-q@WBVNp1|aCBB|JF^nM%WXzPwxt@_L39N@R
zwljFF_qdGAMXsaUbJN6Pl1gVf%}!+@Hi`2)qZ(K$0B#jG987DoB7gYlGsBGoe*#OG
zmrjc<?f@D5`oqO(N6esuRL>xdnB~_?em8O!TW!5eR`ravLbBpo*PahL1xI0k!pa#e
zHFCEPq4$9QGnFv*gVb%@n|KGYS4owQ{t{{lpc)5X<g8wBspw&XjQQ=sp1dJ?WHFMZ
zuOjeYpbJC^d+YyG|9`hkMdMA?5ICF?LdvUt{$9YEhrZBs9)8_{rH+e6WLK5B*c3B+
zzY*2fsTOw5eUe_|b_f|Tv9oCQW499gumVT5hH-SC<Cik3)44I)m_k{TeaB;3Xd;Xc
zAvD^(+(`D*9_Pk?Z^dyQS5hVS?aJPeQsh-%`<*N2s+w9ebbl6;U|OkhdXngYpGb4L
z31U}?1IuhSwQa?Z+llkj$%fKUcJ`_Q<rEbc-ijM*8u*(h!if#f%#r<{SS_xj;v1dA
z6I&Q-uW2eERuDOC`OX2zg-`gj5_!IC8nqqZ^<<NPCpKptp88=|L|B4eD=8vr4jDwi
z1hbWaxS5z*y?+iOK<*B+OMNd(tjuivh~RckbhR0{`LMm>sdvmT3*M{DQGf-wuXWnj
z1a)WVem$1B`2b>eKnH*Os%a!gq@Kk2C-WNbZR~L&`1Pu+5|=+7`at6T%EURNL8P^z
zZw(2%s(^J62>m#7k!wFFFP7qrf)&J`iBbOpCKI*VA2)t*^C(1bu&<ebJ})fqY1ER{
oyZe?p!%59pd(>qJhi&{vQ4r(?n*AwZ;j_CYL&c1(4Tz!Xpi$lEVE_OC

diff --git a/secrets/generated/sire-ai/promtail-loki-basic-auth-password.age b/secrets/generated/sire-ai/promtail-loki-basic-auth-password.age
new file mode 100644
index 0000000000000000000000000000000000000000..7e6476deb489084bedfb3913a8000ebb9839f279
GIT binary patch
literal 487
zcmWm7yNlCc003~21HFKVA{=f}aq)<09&H+xJK8k8rcL@v+B`T8lJxtUq>rRu9!>fO
z2yW`;=&XWrbaZhN!BHGtL^t6EaZ!-_{R2OH3J9=tQ4uA6xV#^tDVb3iaey0ixlHkR
zq*Fj!#4x1xOZ~xIYQmbu`89~N5pQKd6K+;~Y)J{ru-JgNEl~?wM{Lq@=T$~-Xfe>)
z&B{%s4(CmjE;3ZH-JmG(e2Dyvi0E<!&sQp_4)EGWmo~oX<f^Tt{Kn!l&lRY?Xn?q=
z+MvW`-n6AIvn3;&m^YX}Ma;7DoE-P}$<kt`Q;893vE>;pd&seg!ogw`36<IT)pLm{
z0(J~=;+Vz{okMgFN4M=E)-pRrj<QmDRc*^rPaHJe^avV_MQRtdK<rkaqvwe+^59bN
z9cm^s3a5BJa8gMR1ZIuNV>7WPVq0)Klw?-I^|-4T1*7FE>Pn5mp5=jy5d?t)nU$P+
zeWJ2GElM0s4LzBrK|c);IS!Bt`#IT$^f07ZY_a#3`m&v$&959>it49NZa)5fLf(10
zvm-vZ@%G{5*WU5nlTRPw%gOicAN2Catw$HW?tXj2y}x>$jX!QLet!1)#kI5b>H1yo
L-*e&TD{S{aWaOvr

literal 0
HcmV?d00001

diff --git a/secrets/generated/sire-ai/telegraf-influxdb-token.age b/secrets/generated/sire-ai/telegraf-influxdb-token.age
new file mode 100644
index 0000000..c309ced
--- /dev/null
+++ b/secrets/generated/sire-ai/telegraf-influxdb-token.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 e09chuumAr9YIQr2FfMksKQ6fuynCRG48q3MFUpZMy0
+tdk5i7W1B3jHBQtpu0GNKhbRSCwAGdANJ++XTvcJsUc
+-> piv-p256 xqSe8Q AlCSRpF/mmCbRdgeJmgRfjYGv3UXsiDUXNd1ycXL/VYP
+flgemElH9cDwS13GFK0yhXEFMtae7mu6cigrtdEqwD4
+-> $#F(3&-grease
+
+--- oiRai0AKyVi3x1Ca4kvxWTsB+9iNGc1ns/dwhWKQ5Bk
+®fõNblÎ¢ÜM‘uê¯r7{de‘\F´ùx"6=ÃGûÀ¯Zw$ÐM|È…”`¢ìf5¹~a@k÷8ñaîîØmÌAÌ$A=š¶åøY
\ No newline at end of file
diff --git a/secrets/wireguard/proxy-sentinel/keys/sire-ai.age b/secrets/wireguard/proxy-sentinel/keys/sire-ai.age
new file mode 100644
index 0000000..6a9535a
--- /dev/null
+++ b/secrets/wireguard/proxy-sentinel/keys/sire-ai.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 TH0kjq49QgHVMxiKN/A7GwtqwdQw9DAikE+5EjCvBh4
++vYyoJa5I2PTH+v+kwj5NyFwY+ZM9taFsC7r9uVn6nU
+-> piv-p256 xqSe8Q At6UZoFAzsYlT0QDcGGSWKxCsv4Iw/fOctV+d1EL3kMl
+Nf0ueYrxTsPPO/TsEHaNSV5jHFZkbDi0vQBd0wNfduE
+-> i-grease u.xSTA x'~zLGA_ e GE#
+ST6gex/P7Tl+iuVMtoP892ZiSqxNBKPcPu8mZqFMnuWOmY1sgaGWqo8uANrENf4S
+AWdV9+b9NrRHzwp+s5ZglVEZCj8uY/yNjr+5/sPqwyVGWqRh24kwWPg
+--- ihZIFb7aU1VLXXfmQCMhpC0YwTMyCu7mV8wRBaSIaXo
+ó3øÍãônkÁ¶&àH<»=ÖoœeAd+”)™Y¡á„Ë²­ñ©à‚ðš€\5ÔP°åÇöç¹	Ÿj!ßü²•y—E>ÉEüµ8ki
\ No newline at end of file
diff --git a/secrets/wireguard/proxy-sentinel/keys/sire-ai.pub b/secrets/wireguard/proxy-sentinel/keys/sire-ai.pub
new file mode 100644
index 0000000..c3792bd
--- /dev/null
+++ b/secrets/wireguard/proxy-sentinel/keys/sire-ai.pub
@@ -0,0 +1 @@
+ygcBHVWOJfuMpLjaP8wmTlOxaKtLdfnOpkSnSI1yK0E=
diff --git a/secrets/wireguard/proxy-sentinel/psks/sentinel+sire-ai.age b/secrets/wireguard/proxy-sentinel/psks/sentinel+sire-ai.age
new file mode 100644
index 0000000..43ce934
--- /dev/null
+++ b/secrets/wireguard/proxy-sentinel/psks/sentinel+sire-ai.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 T95WvKmKcGXdvR9je/tOyisM9IFKYMAY/3GuHZwD+zo
+7kmXql4Ti7orkYWf3RGNW2fJ1GBL7X95TzPHzWmlTGc
+-> piv-p256 xqSe8Q A+L9ytWGceDG0o8dto7/Q35AGAKc4geqNq0/U46xMvfU
+RFiabxIUqn1eehP5Dy4aWQbTVqVFG1uXUkGmys5wuA4
+-> 9-grease B?'f1
+y9r8TgPo/KFoIkJ7svBEwQsRwSdENuvKbZUX
+--- INSbhj2g2kORf8xCpIWnCdbCh/kHh1RoiDhMdPvDLuk
+¶ðsÕ_„ÆYåÅã;ß¶€àÇÎT†s)ˆ-½« uM6*¤O•}^÷Ûb/çü¤„]RnÄ÷îFùo—‚0Ô~ý2)éö/Èóž»
\ No newline at end of file
