Enhance infrastructure and application configurations
- Updated AGENTS.md to include new directories for execution plans and implemented feature reports. - Modified Ansible host variables for dev-02 and gpu-01 to change API endpoints and add new configurations for Scaleway. - Adjusted firewall rules in gpu-01 to allow HTTPS traffic instead of the previous Ollama port. - Added OAuth2 proxy configurations to gpu-01 for enhanced security. - Removed deprecated open-webui module from Terraform app configurations. - Updated Terraform configurations to reflect changes in local variables and removed unused secrets. - Created a new sectool.json file for CloudNS integration with Bitwarden. - Enhanced SELinux configurations for nginx to allow connections to any port and added oauth2-proxy port.
This commit is contained in:
@@ -83,7 +83,7 @@ linux_dev_station_opencode_config:
|
||||
name: "alexpires.me"
|
||||
npm: "@ai-sdk/openai-compatible"
|
||||
options:
|
||||
baseURL: "https://open-webui.lab.alexpires.me/api"
|
||||
baseURL: "https://llm.lab.alexpires.me/api/v1"
|
||||
apiKey: "{{ lookup('env', 'OPEN_WEBUI_API_KEY', default='') }}"
|
||||
timeout: 3000000
|
||||
chunkTimeout: 3000000
|
||||
@@ -92,6 +92,12 @@ linux_dev_station_opencode_config:
|
||||
name: "qwen3-6-27b-mtp-q4-0"
|
||||
qwen3-6-35b-a3b-mtp-ud-q4-m:
|
||||
name: "qwen3-6-35b-a3b-mtp-ud-q4-m"
|
||||
scaleway:
|
||||
name: "scaleway"
|
||||
npm: "@ai-sdk/openai-compatible"
|
||||
options:
|
||||
baseURL: "https://api.scaleway.ai/{{ lookup('env', 'SCW_DEFAULT_ORGANIZATION_ID', default='') }}/v1"
|
||||
apiKey: "{{ lookup('env', 'SCW_INFERENCE_API_KEY', default='') }}"
|
||||
mcp:
|
||||
deepwiki:
|
||||
type: "remote"
|
||||
|
||||
@@ -39,8 +39,8 @@ ufw_enable: true
|
||||
fw_allowed_ports:
|
||||
- { rule: "allow", port: "22", proto: "tcp", from: "10.5.5.5/32" } # Wireguard VPN (Laptop)
|
||||
- { rule: "allow", port: "22", proto: "tcp", from: "10.19.4.0/24" } # local network
|
||||
- { rule: "allow", port: "11434", proto: "tcp", from: "10.19.4.0/24" } # Ollama (local network)
|
||||
- { rule: "allow", port: "11434", proto: "tcp", from: "10.5.5.5/32" } # Ollama (Laptop)
|
||||
- { rule: "allow", port: "443", proto: "tcp", from: "10.19.4.0/24" } # HTTPS (nginx reverse proxy)
|
||||
- { rule: "allow", port: "443", proto: "tcp", from: "10.5.5.5/32" } # HTTPS (nginx reverse proxy, VPN)
|
||||
- { rule: "allow", port: "8880", proto: "tcp", from: "10.19.4.0/24" } # Kokoro-FastAPI (local network)
|
||||
- { rule: "allow", port: "8880", proto: "tcp", from: "10.5.5.5/32" } # Kokoro-FastAPI (Laptop)
|
||||
- { rule: "allow", port: "8188", proto: "tcp", from: "10.19.4.0/24" } # ComfyUI (local network)
|
||||
@@ -112,6 +112,7 @@ llama_server_home: "/mnt/data/llamacpp"
|
||||
llama_server_user_pubkey: "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAHHOPBR9p9kq5Cqzpe4cr3jHnweaYrHPXv5sXNzt+sCXP54uc5rWUBhxW2OQVvQzJ47dEVhEKi4WSC7LcuKS2G5AQDzWXNiasHvYIYQU3F/EknVCZnsiXYqXphYkJA6rJCNRnISZCIC1mocq6PB7J08ONdRFCvjfUBuVRT8BNGXNmQ/zQ=="
|
||||
|
||||
llama_server_port: 11434
|
||||
llama_server_bind: "127.0.0.1"
|
||||
llama_server_devices:
|
||||
- "nvidia.com/gpu=all"
|
||||
- "/dev/kfd:/dev/kfd:rw"
|
||||
@@ -202,6 +203,8 @@ llama_server_models:
|
||||
|
||||
llama_server_argv_extra:
|
||||
[
|
||||
"--api-key",
|
||||
"{{ lookup('env', 'OPEN_WEBUI_API_KEY', default='') }}",
|
||||
"-t",
|
||||
10,
|
||||
"-np",
|
||||
@@ -249,3 +252,33 @@ auto_suspend_cpu_idle_threshold: 90.0
|
||||
# llama_server_preset_global:
|
||||
# ctx-size: 98304
|
||||
# n-gpu-layers: all
|
||||
|
||||
# nginx_proxy: TLS + OAuth2/OIDC SSO for llm.lab.alexpires.me
|
||||
nginx_proxy_certbot_email: "c.alexandre.pires@alexpires.me"
|
||||
nginx_proxy_oauth2_proxy_enabled: true
|
||||
nginx_proxy_oauth2_proxy_provider: "oidc"
|
||||
nginx_proxy_oauth2_proxy_provider_url: "https://code.alexpires.me"
|
||||
nginx_proxy_oauth2_proxy_redirect_urls:
|
||||
- "https://llm.lab.alexpires.me/oauth2/callback"
|
||||
nginx_proxy_oauth2_proxy_email_domains:
|
||||
- "*"
|
||||
nginx_proxy_oauth2_proxy_cookie_secret: "{{ lookup('env', 'OAUTH2_PROXY_COOKIE_SECRET', default='') }}"
|
||||
nginx_proxy_oauth2_proxy_client_id: "{{ lookup('env', 'OAUTH2_PROXY_CLIENT_ID', default='') }}"
|
||||
nginx_proxy_oauth2_proxy_client_secret: "{{ lookup('env', 'OAUTH2_PROXY_CLIENT_SECRET', default='') }}"
|
||||
nginx_proxy_sites:
|
||||
- name: llm
|
||||
server_name: "llm.lab.alexpires.me"
|
||||
upstream:
|
||||
host: "127.0.0.1"
|
||||
port: 11434
|
||||
websocket: true
|
||||
extra_locations:
|
||||
- path: /api/
|
||||
config:
|
||||
proxy_pass: "http://127.0.0.1:11434/"
|
||||
proxy_buffering: "off"
|
||||
proxy_read_timeout: "1800s"
|
||||
proxy_send_timeout: "1800s"
|
||||
proxy_http_version: "1.1"
|
||||
proxy_set_header Upgrade: "$http_upgrade"
|
||||
proxy_set_header Connection: "$connection_upgrade"
|
||||
|
||||
@@ -10,6 +10,7 @@ llama_server_extra_groups: "users,video"
|
||||
llama_server_devices: []
|
||||
llama_server_env: {}
|
||||
llama_server_port: 11434
|
||||
llama_server_bind: "0.0.0.0"
|
||||
llama_server_preset_global: {}
|
||||
llama_server_host: "127.0.0.1"
|
||||
llama_server_argv_extra: []
|
||||
|
||||
@@ -135,7 +135,7 @@
|
||||
state: started
|
||||
device: "{{ llama_server_devices | default(omit) }}"
|
||||
env: "{{ llama_server_env | default(omit) }}"
|
||||
ports: "0.0.0.0:{{ llama_server_port }}:8080/tcp"
|
||||
ports: "{{ llama_server_bind }}:{{ llama_server_port }}:8080/tcp"
|
||||
volumes:
|
||||
- "{{ llama_server_home }}/models:/models:Z"
|
||||
- "{{ llama_server_home }}/.cache:/app/.cache:Z"
|
||||
|
||||
@@ -44,3 +44,18 @@
|
||||
become: true
|
||||
ansible.builtin.command: restorecon -Rv /etc/letsencrypt
|
||||
changed_when: false
|
||||
|
||||
- name: Set SELinux boolean to allow nginx to connect to any port
|
||||
become: true
|
||||
ansible.builtin.command: semanage boolean -m --on nginx_connect_any
|
||||
failed_when: false
|
||||
changed_when: false
|
||||
when: ansible_selinux.status == "enabled"
|
||||
|
||||
- name: Add oauth2-proxy port to SELinux http_port_t
|
||||
become: true
|
||||
ansible.builtin.command: >-
|
||||
semanage port -a -t http_port_t -p tcp {{ nginx_proxy_oauth2_proxy_port }}
|
||||
failed_when: false
|
||||
changed_when: false
|
||||
when: ansible_selinux.status == "enabled"
|
||||
|
||||
@@ -22,6 +22,7 @@
|
||||
mode: "0755"
|
||||
owner: root
|
||||
group: root
|
||||
remote_src: true
|
||||
|
||||
- name: Create oauth2-proxy config directory
|
||||
become: true
|
||||
|
||||
@@ -13,6 +13,7 @@ server {
|
||||
|
||||
add_header Strict-Transport-Security "max-age={{ nginx_proxy_nginx_hsts_max_age }}; {{ nginx_proxy_nginx_hsts_include_subdomains | ternary('includeSubDomains', '') }}" always;
|
||||
|
||||
{% if not (item.no_auth | default(false) | bool) %}
|
||||
# Redirect unauthenticated requests to OAuth2 sign-in
|
||||
error_page 401 = /oauth2/sign_in;
|
||||
|
||||
@@ -52,13 +53,16 @@ server {
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Scheme $scheme;
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
location / {
|
||||
{% if not (item.no_auth | default(false) | bool) %}
|
||||
auth_request /oauth2/auth;
|
||||
auth_request_set $auth_status $upstream_status;
|
||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
{% endif %}
|
||||
add_header Strict-Transport-Security "max-age={{ nginx_proxy_nginx_hsts_max_age }}; {{ nginx_proxy_nginx_hsts_include_subdomains | ternary('includeSubDomains', '') }}" always;
|
||||
|
||||
proxy_pass http://{{ item.upstream.host }}:{{ item.upstream.port }};
|
||||
|
||||
@@ -24,3 +24,5 @@ OPEN_WEBUI_API_KEY=$OPEN_WEBUI_API_KEY
|
||||
OAUTH2_PROXY_COOKIE_SECRET=$OAUTH2_PROXY_COOKIE_SECRET
|
||||
OAUTH2_PROXY_CLIENT_ID=$OAUTH2_PROXY_CLIENT_ID
|
||||
OAUTH2_PROXY_CLIENT_SECRET=$OAUTH2_PROXY_CLIENT_SECRET
|
||||
SCW_DEFAULT_ORGANIZATION_ID=$SCALEWAY_ORGANIZATION_ID
|
||||
SCW_INFERENCE_API_KEY=$SCW_INFERENCE_API_KEY
|
||||
Reference in New Issue
Block a user