From 3ca11455ee952767aff21a2ba3ab6227288f9aac Mon Sep 17 00:00:00 2001
From: Joakim Repomaa <joakim.repomaa@mocoapp.com>
Date: Fri, 29 May 2026 19:14:50 +0300
Subject: [PATCH] setup openwebui

---
 hosts/freun-dev/secrets.nix       |   2 +
 hosts/freun-dev/services.nix      |  25 ++++++++++
 modules/services/default.nix      |   1 +
 modules/services/open-webui.nix   |  78 ++++++++++++++++++++++++++++++
 secrets/open-terminal-api-key.age | Bin 0 -> 522 bytes
 secrets/open-webui.age            | Bin 0 -> 822 bytes
 secrets/secrets.nix               |   2 +
 7 files changed, 108 insertions(+)
 create mode 100644 modules/services/open-webui.nix
 create mode 100644 secrets/open-terminal-api-key.age
 create mode 100644 secrets/open-webui.age

diff --git a/hosts/freun-dev/secrets.nix b/hosts/freun-dev/secrets.nix
index bfc985b..61a8fa7 100644
--- a/hosts/freun-dev/secrets.nix
+++ b/hosts/freun-dev/secrets.nix
@@ -33,6 +33,8 @@
           "gitea"
           "gitea-actions-runner"
           "searx"
+          "open-webui"
+          "open-terminal-api-key"
         ]
     )
     // {
diff --git a/hosts/freun-dev/services.nix b/hosts/freun-dev/services.nix
index 5c95b0e..f989b6d 100644
--- a/hosts/freun-dev/services.nix
+++ b/hosts/freun-dev/services.nix
@@ -19,6 +19,7 @@ let
   secrets = config.age.secrets;
 in
 {
+  nixpkgs.config.allowUnfree = true;
   imports = [
     ./glance.nix
   ];
@@ -425,11 +426,35 @@ in
       };
     };
 
+    open-webui = {
+      enable = true;
+      port = 3500;
+      environmentFile = secrets.open-webui.path;
+      environment = {
+        ENABLE_WEB_SEARCH = "True";
+        ENABLE_OLLAMA_API = "False";
+      };
+      subdomain = "owu";
+    };
+
     webserver = {
       acme.dnsChallenge = true;
       tailscaleAuth.expectedTailnet = "tempel-vibes.ts.net";
     };
   };
 
+  virtualisation.oci-containers.containers.open-terminal = {
+    image = "ghcr.io/open-webui/open-terminal:latest";
+    autoStart = true;
+    ports = [ "127.0.0.1:3700:8000" ];
+    environmentFiles = [ config.age.secrets."open-terminal-api-key".path ];
+    environment = {
+      OPEN_TERMINAL_MULTI_USER = "true";
+    };
+    volumes = [
+      "open-terminal-data:/home/user"
+    ];
+  };
+
   virtualisation.docker.autoPrune.enable = true;
 }
diff --git a/modules/services/default.nix b/modules/services/default.nix
index b683018..f8e425f 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -34,5 +34,6 @@
     ./dhcp-dns-sync
     ./invidious-companion.nix
     ./searx.nix
+    ./open-webui.nix
   ];
 }
diff --git a/modules/services/open-webui.nix b/modules/services/open-webui.nix
new file mode 100644
index 0000000..cff2edb
--- /dev/null
+++ b/modules/services/open-webui.nix
@@ -0,0 +1,78 @@
+{
+  lib,
+  config,
+  pkgs-unstable,
+  ...
+}:
+let
+  cfg = config.services.open-webui;
+  fqdn = "${cfg.subdomain}.${config.networking.domain}";
+
+  open-webui-pkg = pkgs-unstable.open-webui.overridePythonAttrs (oldAttrs: {
+    dependencies =
+      oldAttrs.dependencies
+      ++ (with pkgs-unstable.python3Packages; [
+        pgvector
+        psycopg2
+      ])
+      ++ [
+        pkgs-unstable.ffmpeg
+      ];
+  });
+in
+{
+  options.services.open-webui = {
+    subdomain = lib.mkOption {
+      type = lib.types.str;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services = {
+      open-webui = {
+        package = open-webui-pkg;
+        environment = {
+          ANONYMIZED_TELEMETRY = "False";
+          DO_NOT_TRACK = "True";
+          SCARF_NO_ANALYTICS = "True";
+          WEBUI_URL = "https://${fqdn}";
+          VECTOR_DB = "pgvector";
+          PGVECTOR_CREATE_EXTENSION = "False";
+          DATABASE_URL = "postgresql:///open-webui?host=/var/run/postgresql";
+          CORS_ALLOW_ORIGIN = "https://${fqdn};http://localhost";
+        };
+      };
+
+      webserver.vHosts.${fqdn}.locations."/".proxyPort = cfg.port;
+      postgresql = {
+        enable = lib.mkDefault true;
+        ensureDatabases = [ "open-webui" ];
+        ensureUsers = [
+          {
+            name = "open-webui";
+            ensureDBOwnership = true;
+          }
+        ];
+        extensions = ps: with ps; [ pgvector ];
+      };
+    };
+
+    systemd.services.open-webui-pgvector-setup = {
+      description = "Ensure pgvector extension exists for open-webui";
+      wantedBy = [ "open-webui.service" ];
+      before = [ "open-webui.service" ];
+      after = [
+        "postgresql.service"
+        "postgresql-setup.service"
+      ];
+      requires = [ "postgresql.service" ];
+      serviceConfig = {
+        Type = "oneshot";
+        User = "postgres";
+        Group = "postgres";
+        ExecStart = "${config.services.postgresql.package}/bin/psql -d open-webui -c 'CREATE EXTENSION IF NOT EXISTS vector;'";
+        RemainAfterExit = true;
+      };
+    };
+  };
+}
diff --git a/secrets/open-terminal-api-key.age b/secrets/open-terminal-api-key.age
new file mode 100644
index 0000000000000000000000000000000000000000..af8cde2c3487490707ec3c19985bfc0d0349f1ec
GIT binary patch
literal 522
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7FZOqia#TnSjmq~l
zC@{?rFUqh8H1={c3pPzp2@LVCGIMkf3oFd@%@1~uN;j<x$>*x@w=7Of%n3+x&Gj&L
z@$@SR^s5MVuT0bT%1I0fam(>?k915*wlD|}4Mn%j#Vs>GBTymHD5EqyJSm_wuqZFm
zsUWh@*TB#>%F`>gOgqrW+*I2w$2_;vDY48n+k&gIJYV0}$TZl^G&j4bpd`yQH#js&
z+cPJ_Ge1Aq%cUsMMcY8TvcR}B%N5<WfDrSvv~&d@$JD3-=fdpBtX!8$$AGFduh8J^
z0`2nr2%mD#k{lzKth8Wr*AQ*<Y+tVAQf;R~cVmleXD6RX-=wsH<WSFaKPO+`yrhz>
zsw_)WQ?q<SQ}2)pcSkN=U0sF5q@<|8!c3EhbVp-t?Fgszz)C}3;|Q13ir`{{sMPEz
zUmtz{2tQMOUlT6BTs<AvQbF!L^DF-Nn|3N(%#eO|>dI-0Q;zlG<&$nE{bC5XYv$(j
zMDX&7FsA~(kCnoU4P6giY0(i#Q{+0Cscif9;FF#=N1WGhlUO$4LCq<>nEQo=xsNQ3
o-sq^l&p#w(_HR=6zLc!LH7Tb~uJ}5CTh>jFdB#UBH)Xp505GDwE&u=k

literal 0
HcmV?d00001

diff --git a/secrets/open-webui.age b/secrets/open-webui.age
new file mode 100644
index 0000000000000000000000000000000000000000..3c616d73ecf73af7ff5c8b8c8278e68d9318a1fe
GIT binary patch
literal 822
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7FZOqia#ScWa7~Of
zF7oh=jLOOnPjL)0OY?Be@Y46u&&n_N$PCPg)D8<Tcd^I}3*}0$$j=Q-E;DoWbSgG*
z&dM_iGA|7<s_-vM%TF(L%ytiPF-vxeD0M1K4Mn%j#Vs>GBT&J~FSOFcB0VQJ%`_#)
zJu<A^px8gp)ycHN)Xmk*$l2J#v{1h=H6qi<)r70cu{6)e$0JX>%A?BDATdzC*e5GD
z!ZJ<U*wn+_#HpY>IXfgdsLaC6Cmr3kfDrSvv~&e0%ivr?|4`#xzu-u>+=_DJ)Ix)7
zv%n-T53ek557WGeNN3|p{|f(XLsu?~u&VsToD%0?{i@=~KvQ$0;FPc`pE5HGcT@M`
z!qUw0<j9OLpOUmF|3EHXU0sEYpos8rqwIXcOt*B8AcKf}UvtOOz}(78eb<uQl2k{}
zuz~_hvvk+62oo;u?$>$KLwZ&uMRAq%pRCf~vZ11EX_e;b@QqWvn|gkg{`$pS<Gb2#
z<^u(T`!aHY$8}qI(=)%>?e^|8m+$Zq4Cwdf`}M_-MYN?QbaBSx<DK)(XPwhsHX-_L
z=-i#hmc}oMW7!z)r1@wK<B|S(+S3Z!Kc<;Q|GsCqYi*`q&x5u~h9*_M{};=9=iFmd
z;e52pQ|kHVz*9XU?~~dlIj?M9_VCdema8WJ=eeE={<>!+-<!#$-?WeQJXp)V<Hy6L
zS45S<7+#4oO1}E9y!hz$ZA!^^v$o!MkWO@Ah+Ud}T;e9jp<7E&UqA2O$Pu7uTs<Y;
zCbRZjhSZEkt=D@mUQPc$N#jkm=xVM8v2=bGtG4TNZ~2r?*yQy@m0RV@j(JzrBf@Sp
z{S|1{dBM@4s=p#wz~_|hji?hwa?YwzQ(pV7z8LOUF0WdUcf?~igLsZfqAyF!{<_~w
zKdB#;`JBSb*VK1%PXD(a0VVwtDaEPk7Sru=By^SPeBRaUIQH`V-Jle+89N-xuXNwp
r$hG<6xmA&ej96pYec0}?nsp^^j0;-w##^T6<yz0v4^GOsH%tWp8n#Qv

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index bf204d2..cb02e68 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -46,6 +46,8 @@ in
   "gitea-actions-runner.age".publicKeys = users ++ [ freun-dev ];
   "invidious-companion.age".publicKeys = users ++ [ apu ];
   "invidious.age".publicKeys = users ++ [ freun-dev ];
+  "open-webui.age".publicKeys = users ++ [ freun-dev ];
+  "open-terminal-api-key.age".publicKeys = users ++ [ freun-dev ];
   "searx.age".publicKeys = users ++ [ freun-dev ];
   "everii-vpn/de1.key.age".publicKeys = users ++ [ radish ];
   "everii-vpn/ch1.key.age".publicKeys = users ++ [ radish ];