Let's hope that this is not a productive system. I want to say that you'd have to try hard to do something that stupid, but then again, knowing from myself, you can cause a lot of trouble with a single command in a cli somewhere.
Yes, since we have similar gpus you could try the following to run it in a docker container on linux, taken from here and slightly modified:
bash
#!/bin/bash
model=microsoft/phi-2
# share a volume with the Docker container to avoid downloading weights every run
volume=<path-to-your-data-directory>/data
docker run -e HSA_OVERRIDE_GFX_VERSION=10.3.0 -e PYTORCH_ROCM_ARCH="gfx1031" --device /dev/kfd --device /dev/dri --shm-size 1g -p 8080:80 -v $volume:/data ghcr.io/huggingface/text-generation-inference:1.4-rocm --model-id $model
Note how the rocm version has a different tag and that you need to mount your gpu device into the container. The two environment variables are specific to my (any maybe yours also) gpu architecture. It will need a while to download though.
Huggingface TGI is just a piece of software handling the models, like gpt4all. Here is a list of models officially supported by TGI, although they state that you can try different ones as well. You follow the link and look for the files section. The size of the model files (safetensors or pickele binaries) gives a good estimate of how much vram you will need. Sadly this is more than most consumer graphics cards have except for santacoder and microsoft phi.
I tried Huggingface TGI yesterday, but all of the reasonable models need at least 16 gigs of vram. The only model i got working (on a desktop machine with a amd 6700xt gpu) was microsoft phi-2.
It's true that you shouldn't open ports to the internet. If you still want your services to be accessible from outside the local network you can install a wireguard server on your thin client that has access to the services you want. And if you really want to harden it you can restrict wireguard clients from ssh and other admin things.
You will need to open one port on the router to your wireguard server though. Wireguard is UDP though and ignores packages without an established connection, so attackers will not even know there is an open port on your router.
Edit: tailscale and zerotier are good external solutions to this as well without needing to open a port at all.
Fedora uses Wayland by default at least and it's really smooth, and it has gotten much better in the last two years or so. It also is a rolling release, which means always the newest software and latest kernel, which further improves wayland performance.
Canonical has made some questionable choices for Ubuntu in the last years like pushing the users to use snaps (which are shot) or advertisements in the terminal. But then again you can always use Debian in the first place i guess.
You can use systemd-analyze blame if you want raw numbers:
This command prints a list of all running units, ordered by the time they took to initialize. This information may be used to optimize boot-up times.
Good way to see if your systemd also waits 2 minutes for a network connection which already exists but it can't see it because systemd doesn't do the networking (lxc containers on proxmox in my case) lol.
Let's hope that this is not a productive system. I want to say that you'd have to try hard to do something that stupid, but then again, knowing from myself, you can cause a lot of trouble with a single command in a cli somewhere.