service: ollama + open-webui

2024-04-14 21:04:25 +02:00 · 2024-04-14 21:04:25 +02:00 · 8d4d1e4be8
commit 8d4d1e4be8
parent 653476ec32
4 changed files with 34 additions and 15 deletions
--- a/hosts/server_big/default.nix
+++ b/hosts/server_big/default.nix
@ -40,6 +40,10 @@

  environment = {
    etc = {
+      "fail2ban/filter.d/open-webui.conf" = {
+        source = ../../modules/services/server/fail2ban/filter/open-webui.conf;
+        mode = "0444";
+      };
      "fail2ban/filter.d/gitea.conf" = {
        source = ../../modules/services/server/fail2ban/filter/gitea.conf;
        mode = "0444";
@ -80,6 +84,12 @@
           findtime = "15m";
        };
        jails = {
+            open-webui = ''
+              enabled = true
+              filter = open-webui
+              backend = systemd
+              action = iptables-allports
+            '';
            gitea = ''
              enabled = true
              filter = gitea
--- a/modules/services/server/default.nix
+++ b/modules/services/server/default.nix
@ -18,7 +18,7 @@
  ./matrix.nix
  ./coturn.nix
  ./jitsi.nix
-  #./ollama.nix
+  ./ollama.nix
 ]

 # picom, polybar and sxhkd are pulled from desktop module
--- a/modules/services/server/fail2ban/filter/open-webui.conf
+++ b/modules/services/server/fail2ban/filter/open-webui.conf
@ -0,0 +1,4 @@
+[Definition]
+failregex =  <HOST> - .*(401 Unauthorized|invalid credentials|Attempted access of unknown user).*
+ignoreregex =
+journalmatch = _SYSTEMD_UNIT=podman-open-webui.service + _COMM=podman-open-webui
--- a/modules/services/server/ollama.nix
+++ b/modules/services/server/ollama.nix
@ -4,20 +4,25 @@ let
  ollamahostname = "llm.kabtop.de";
 in
 {
-    services.ollama = {
-        enable = true;
-        listenAddress = "127.0.0.1:11434";
-    };
+  virtualisation.oci-containers.containers."open-webui" = {
+    autoStart = true;
+    image = "ghcr.io/open-webui/open-webui:ollama";
+    volumes = [
+      "/var/lib/open-webui:/app/backend/data"
+    ];
+    hostname = "open-webui";
+    ports = [ "8081:8080" ];
+  };

-    services.nginx = {
-        virtualHosts = {
-            ollamahostname = {
-                enableACME = true;
-                forceSSL = true;
-                listen = [ {
-                    addr = "127.0.0.1"; port = 11434;
-                } ];
-            };
-        };
+  services = {
+    nginx = {
+      virtualHosts = {
+          ${ollamahostname} = {
+              enableACME = true;
+              forceSSL = true;
+              locations."/".proxyPass = "http://localhost:8081";
+          };
+      };
    };
+  };
 }