feat: add omni app

Author: Banh-Canh

README.md

@@ -68,22 +68,48 @@ The Helm chart consists of the following components:
 
 - A choice of frontend web-apps built using [Gradio](https://www.gradio.app) (see [web-apps](./web-apps/)). Each web interface is available as a pre-built container image [hosted on ghcr.io](https://github.com/orgs/stackhpc/packages?repo_name=azimuth-llm) and be configured for each Helm release by changing the `ui.image` section of the chart values.
 
-<!-- ## Development
+## Development environment (devenv + direnv)
 
-TODO: Update this
+This repo uses [devenv](https://devenv.sh) (Nix-backed) to pin the full developer toolchain — Python 3.11, `uv`, `ruff`, `black`, `kubectl`, `helm`, `kind`, `chart-testing`, `grype`, `jq`, `yq` — and [direnv](https://direnv.net) to load that environment automatically whenever you `cd` into the repo. The `devenv.nix`, `devenv.yaml`, `devenv.lock`, and `.envrc` files at the repo root are the source of truth; nothing needs to be installed globally except devenv and direnv themselves.
 
-The GitHub repository includes a [tilt](https://tilt.dev) file for easier development. After installing tilt locally, simply run `tilt up` from the repo root to get started with development. This will trigger the following:
+### One-time setup
 
-- Install the backend API components of the Helm chart on the remote k8s cluster specified by your current k8s context.
+1. Install Nix: <https://nixos.org/download> (or use the [Determinate Systems installer](https://github.com/DeterminateSystems/nix-installer)).
+2. Install devenv: <https://devenv.sh/getting-started/> (typically `nix profile install nixpkgs#devenv`).
+3. Install direnv: <https://direnv.net/docs/installation.html> and hook it into your shell (e.g. add `eval "$(direnv hook zsh)"` to `~/.zshrc`).
+4. From the repo root, allow the `.envrc` once:
 
-- Create a port-forward from the remote cluster to `localhost:8080`
+   ```
+   direnv allow
+   ```
 
-- Create a local `tilt-dev-venv` in the repo root containing the required Python dependencies to run the frontend web app locally.
+   The first activation will build the dev shell and may take several minutes. Subsequent `cd` into the directory is near-instant (cached).
 
-- Launch the frontend web app locally on `127.0.0.1:7860`, configured to use `localhost:8080` as the backend API
+### What you get on shell entry
 
-- Watch all components and only reload the minimal set of components needed when a file in the repo changes (e.g. modifying `chart/web-app/app.py` will restart the local web app instance only) -->
+Every time direnv activates the shell, `devenv.nix` prints the available commands. The most important:
 
-<!-- ## Adding a new web interface
+| Command | What it does |
+| --- | --- |
+| `omni-run` | Creates/refreshes `web-apps/omni/.venv` from `web-apps/omni/requirements.txt` (via `uv`) and launches the Omni Gradio UI on <http://localhost:7860>. |
+| `build [component] [--tag TAG]` | Builds the container image for a web-app under `web-apps/` (omit `component` to build all). |
+| `scan  [component] [--tag TAG] [--fail-on SEV]` | Builds (if needed) then runs a Grype vulnerability scan against the image. |
+| `prek -a` | Runs the configured pre-commit hooks (treefmt: `nixfmt`, `black`) across all files. |
 
-TODO: Write these docs... -->
+Components are auto-discovered from any subdirectory of `web-apps/` that contains a `Dockerfile`, so adding a new web-app requires no changes to `devenv.nix`.
+
+### Without direnv
+
+If you'd rather not use direnv, you can enter the same environment manually from the repo root:
+
+```
+devenv shell
+```
+
+…and then run any of the commands above. Exit with `exit` or `Ctrl-D`.
+
+### Notes
+
+- Python dependencies for each web-app are pinned in that web-app's own `requirements.txt` and installed by `uv` into a local `.venv/`. devenv does **not** manage those packages — this guarantees the dev environment matches the container image built by the Dockerfile.
+- On NixOS, `LD_LIBRARY_PATH` is preset in `devenv.nix` so that PyPI wheels with native extensions (numpy, scipy, pillow, …) can find `libstdc++`, `libz`, `libjpeg`, `libpng`, and `libwebp` at runtime.
+- `devenv.lock` pins the exact `nixpkgs` revision; commit it alongside any change to `devenv.nix`/`devenv.yaml` so collaborators get the same toolchain.

devenv.nix

@@ -1,27 +1,44 @@
-{ pkgs, ... }:
+{
+  pkgs,
+  lib,
+  ...
+}:
 let
-  allComponents = "chat image-analysis flux-image-gen";
   imagePrefix = "ghcr.io/stackhpc/azimuth-llm";
-  webAppsDir = "./web-apps";
+  webAppsDir = ./web-apps;
+
+  # Discover components: subdirs of web-apps/ that contain a Dockerfile.
+  # Keeps `build`, `scan`, and the help text in sync with the filesystem
+  # so adding a web-app requires no edits here.
+  componentList =
+    let
+      entries = builtins.readDir webAppsDir;
+      isComponent =
+        name: entries.${name} == "directory" && builtins.pathExists (webAppsDir + "/${name}/Dockerfile");
+    in
+    lib.sort lib.lessThan (lib.filter isComponent (builtins.attrNames entries));
 
-  # Resolves "all" or empty arg to the full list, validates otherwise.
-  resolveComponents = ''
-    ALL_COMPONENTS="${allComponents}"
+  # Shell prelude shared by every script that operates on components.
+  # Provides:
+  #   resolve_components <input>  - echo input (validated) or all components
+  #   image_name <component>      - echo the full image reference
+  componentPrelude = ''
+    ALL_COMPONENTS="${lib.concatStringsSep " " componentList}"
 
     resolve_components() {
       local input="$1"
       if [ -z "$input" ] || [ "$input" = "all" ]; then
         echo "$ALL_COMPONENTS"
-      else
-        for c in $input; do
-          if ! echo " $ALL_COMPONENTS " | grep -q " $c "; then
-            echo "Unknown component: $c" >&2
-            echo "Available: $ALL_COMPONENTS" >&2
-            return 1
-          fi
-        done
-        echo "$input"
+        return 0
       fi
+      for c in $input; do
+        if ! echo " $ALL_COMPONENTS " | grep -q " $c "; then
+          echo "Unknown component: $c" >&2
+          echo "Available: $ALL_COMPONENTS" >&2
+          return 1
+        fi
+      done
+      echo "$input"
     }
 
     image_name() {
@@ -44,12 +61,29 @@ in
     # CI tooling
     jq
     yq-go
-    # Python
+    curl
+    # Python toolchain.
+    # devenv is NOT the source of truth for Python deps: the pinned
+    # requirements.txt in each web-app is, and uv installs from it.
+    # This guarantees the devenv .venv matches the Dockerfile-built image.
+    # The Dockerfile must use the same Python minor version.
     python311
+    uv
     ruff
     black
   ];
 
+  # PyPI wheels (numpy, scipy, pillow, ...) are linked against system libs
+  # that don't exist on NixOS at standard FHS paths. Expose them via
+  # LD_LIBRARY_PATH so the wheels' C extensions can load.
+  env.LD_LIBRARY_PATH = pkgs.lib.makeLibraryPath [
+    pkgs.stdenv.cc.cc.lib # libstdc++.so.6, libgcc_s.so.1
+    pkgs.zlib # libz.so.1 (numpy, scipy, pillow)
+    pkgs.libjpeg # libjpeg.so (pillow)
+    pkgs.libpng # libpng.so (pillow)
+    pkgs.libwebp # libwebp.so (pillow)
+  ];
+
   treefmt = {
     enable = true;
     config.programs = {
@@ -69,7 +103,8 @@ in
 
   scripts = {
     build.exec = ''
-      ${resolveComponents}
+      ${componentPrelude}
+
       TAG="latest"
       COMPONENT=""
       while [ $# -gt 0 ]; do
@@ -78,20 +113,20 @@ in
           *)     COMPONENT="$COMPONENT $1"; shift ;;
         esac
       done
-      COMPONENT="''${COMPONENT## }"
 
-      TARGETS=$(resolve_components "$COMPONENT") || exit 1
+      TARGETS=$(resolve_components "''${COMPONENT## }") || exit 1
       for c in $TARGETS; do
         echo "==> Building $c (tag: $TAG)"
         docker build \
           -t "$(image_name "$c"):$TAG" \
-          -f ${webAppsDir}/"$c"/Dockerfile \
-          ${webAppsDir}/
+          -f ./web-apps/"$c"/Dockerfile \
+          ./web-apps/
       done
     '';
 
     scan.exec = ''
-      ${resolveComponents}
+      ${componentPrelude}
+
       TAG="latest"
       FAIL_ON="critical"
       COMPONENT=""
@@ -102,32 +137,68 @@ in
           *)         COMPONENT="$COMPONENT $1"; shift ;;
         esac
       done
-      COMPONENT="''${COMPONENT## }"
 
-      TARGETS=$(resolve_components "$COMPONENT") || exit 1
+      TARGETS=$(resolve_components "''${COMPONENT## }") || exit 1
       EXIT=0
       for c in $TARGETS; do
         build "$c" --tag "$TAG"
-
         IMAGE="$(image_name "$c"):$TAG"
         echo ""
         echo "==> Scanning $IMAGE (fail-on: $FAIL_ON)"
-        if ! grype "$IMAGE" --fail-on "$FAIL_ON" --only-fixed; then
-          EXIT=1
-        fi
+        grype "$IMAGE" --fail-on "$FAIL_ON" --only-fixed || EXIT=1
       done
       exit $EXIT
     '';
+
+    # ---------------- omni helpers ----------------
+    #
+    # omni-venv installs omni's Python deps into web-apps/omni/.venv from
+    # requirements.txt, re-running only when requirements.txt is newer than
+    # the install stamp. The `../utils` line in requirements.txt is resolved
+    # by uv as a local path dep (same mechanism the Dockerfile uses, modulo
+    # the sed rewrite).
+    #
+    # omni-run ensures the venv is up to date, activates it, and launches
+    # the Gradio UI.
+
+    omni-venv.exec = ''
+      set -e
+      cd ./web-apps/omni
+      STAMP=.venv/.installed
+      if [ ! -d .venv ] || [ requirements.txt -nt "$STAMP" ]; then
+        echo "==> Creating/refreshing ./web-apps/omni/.venv (Python 3.11)"
+        uv venv --python 3.11 .venv
+        # shellcheck disable=SC1091
+        . .venv/bin/activate
+        echo "==> Installing dependencies from requirements.txt"
+        uv pip install -r requirements.txt
+        touch "$STAMP"
+      fi
+    '';
+
+    omni-run.exec = ''
+      set -e
+      omni-venv
+      cd ./web-apps/omni
+      # shellcheck disable=SC1091
+      . .venv/bin/activate
+      echo "==> Starting Omni interface on http://localhost:7860"
+      exec python app.py "$@"
+    '';
   };
 
   enterShell = ''
     echo "$GREET"
     echo ""
-    echo "Commands (component = chat | image-analysis | flux-image-gen | omit for all):"
+    echo "Commands (component = ${lib.concatStringsSep " | " componentList} | omit for all):"
     echo ""
     echo "  prek  -a                                       Format/lint all files"
     echo "  build [component] [--tag TAG]                  Build container image(s)"
     echo "  scan  [component] [--tag TAG] [--fail-on SEV]  Build if needed + Grype scan"
     echo ""
+    echo "Omni (multimodal UI) helpers:"
+    echo ""
+    echo "  omni-run                                       Start the Omni Gradio UI on :7860"
+    echo ""
   '';
 }

web-apps/chat/Dockerfile

@@ -1,6 +1,6 @@
 FROM ghcr.io/astral-sh/uv:python3.11-bookworm-slim
 
-RUN apt-get update && apt-get install -y libssl3=3.0.19-1~deb12u2 openssl=3.0.19-1~deb12u2 && rm -rf /var/lib/apt/lists/*
+RUN apt-get update && apt-get install -y libssl3=3.0.19-1~deb12u2 openssl=3.0.19-1~deb12u2 libgnutls30=3.7.9-2+deb12u7 && rm -rf /var/lib/apt/lists/*
 
 ARG DIR=chat
 

web-apps/flux-image-gen/Dockerfile

@@ -1,13 +1,50 @@
 FROM ghcr.io/astral-sh/uv:python3.11-trixie
 
-# https://stackoverflow.com/questions/55313610/importerror-libgl-so-1-cannot-open-shared-object-file-no-such-file-or-directo
+ARG IMAGEMAGICK_VERSION=8:7.1.1.43+dfsg1-1+deb13u9
+ARG LIBUNBOUND_VERSION=1.22.0-2+deb13u3
+ARG KRB5_VERSION=1.21.3-5+deb13u1
+ARG LIBGCRYPT_VERSION=1.11.0-7+deb13u1
 RUN apt-get update && \
-    apt-get install -y ffmpeg libsm6 libxext6 && \
+    apt-get install -y --no-install-recommends \
+        ffmpeg \
+        libsm6 \
+        libxext6 \
+        "imagemagick=${IMAGEMAGICK_VERSION}" \
+        "imagemagick-7-common=${IMAGEMAGICK_VERSION}" \
+        "imagemagick-7.q16=${IMAGEMAGICK_VERSION}" \
+        "libmagickcore-7-arch-config=${IMAGEMAGICK_VERSION}" \
+        "libmagickcore-7-headers=${IMAGEMAGICK_VERSION}" \
+        "libmagickcore-7.q16-10=${IMAGEMAGICK_VERSION}" \
+        "libmagickcore-7.q16-10-extra=${IMAGEMAGICK_VERSION}" \
+        "libmagickcore-7.q16-dev=${IMAGEMAGICK_VERSION}" \
+        "libmagickcore-dev=${IMAGEMAGICK_VERSION}" \
+        "libmagickwand-7-headers=${IMAGEMAGICK_VERSION}" \
+        "libmagickwand-7.q16-10=${IMAGEMAGICK_VERSION}" \
+        "libmagickwand-7.q16-dev=${IMAGEMAGICK_VERSION}" \
+        "libmagickwand-dev=${IMAGEMAGICK_VERSION}" \
+        "libunbound8=${LIBUNBOUND_VERSION}" \
+        "krb5-multidev=${KRB5_VERSION}" \
+        "libgssapi-krb5-2=${KRB5_VERSION}" \
+        "libgssrpc4t64=${KRB5_VERSION}" \
+        "libk5crypto3=${KRB5_VERSION}" \
+        "libkadm5clnt-mit12=${KRB5_VERSION}" \
+        "libkadm5srv-mit12=${KRB5_VERSION}" \
+        "libkdb5-10t64=${KRB5_VERSION}" \
+        "libkrb5-3=${KRB5_VERSION}" \
+        "libkrb5-dev=${KRB5_VERSION}" \
+        "libkrb5support0=${KRB5_VERSION}" \
+        "libgcrypt20=${LIBGCRYPT_VERSION}" && \
+    apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 
 
 ARG DIR=flux-image-gen
 
+RUN uv pip install --system --no-cache-dir --upgrade \
+        pip \
+        setuptools \
+        wheel
+
 COPY $DIR/requirements.txt requirements.txt
 RUN uv pip install --system --no-cache-dir -r requirements.txt
 

web-apps/flux-image-gen/requirements.txt

@@ -1,4 +1,6 @@
 flux[gradio] @ git+https://github.com/black-forest-labs/flux@478338d
 fastapi[standard]
 httpx
+urllib3>=2.7.0
+idna>=3.15
 # ../utils

web-apps/image-analysis/Dockerfile

@@ -1,7 +1,8 @@
 FROM ghcr.io/astral-sh/uv:python3.11-bookworm-slim
 
 RUN apt-get update && \
-    apt-get install -y --only-upgrade libssl3=3.0.19-1~deb12u2 openssl=3.0.19-1~deb12u2 && \
+    apt-get install -y --only-upgrade libssl3=3.0.19-1~deb12u2 openssl=3.0.19-1~deb12u2 \
+      libgnutls30=3.7.9-2+deb12u7 && \
     rm -rf /var/lib/apt/lists/*
 
 ARG DIR=image-analysis

web-apps/omni/Dockerfile

@@ -0,0 +1,25 @@
+FROM ghcr.io/astral-sh/uv:python3.11-bookworm-slim
+
+RUN apt-get update && apt-get install -y \
+      libssl3=3.0.19-1~deb12u2 \
+      openssl=3.0.19-1~deb12u2 \
+      libgnutls30=3.7.9-2+deb12u7 \
+    && rm -rf /var/lib/apt/lists/*
+
+ARG DIR=omni
+
+COPY $DIR/requirements.txt requirements.txt
+RUN sed -i s$../utils$./utils$ requirements.txt
+COPY utils utils
+RUN uv pip install --system --no-cache-dir -r requirements.txt
+
+COPY purge-google-fonts.sh purge-google-fonts.sh
+RUN bash purge-google-fonts.sh
+
+WORKDIR /app
+
+COPY $DIR/*.py .
+
+COPY $DIR/defaults.yml .
+
+ENTRYPOINT ["python3", "app.py"]