From 8d4d1e4be8241108ca475a335b83df75bf07e417 Mon Sep 17 00:00:00 2001
From: Kabbone <tobias@opel-online.de>
Date: Sun, 14 Apr 2024 21:04:25 +0200
Subject: [PATCH] service: ollama + open-webui

---
 hosts/server_big/default.nix                  | 10 ++++++
 modules/services/server/default.nix           |  2 +-
 .../server/fail2ban/filter/open-webui.conf    |  4 +++
 modules/services/server/ollama.nix            | 33 +++++++++++--------
 4 files changed, 34 insertions(+), 15 deletions(-)
 create mode 100644 modules/services/server/fail2ban/filter/open-webui.conf

diff --git a/hosts/server_big/default.nix b/hosts/server_big/default.nix
index d4b4187..a5c273c 100644
--- a/hosts/server_big/default.nix
+++ b/hosts/server_big/default.nix
@@ -40,6 +40,10 @@
 
   environment = {
     etc = {
+      "fail2ban/filter.d/open-webui.conf" = {
+        source = ../../modules/services/server/fail2ban/filter/open-webui.conf;
+        mode = "0444";
+      };
       "fail2ban/filter.d/gitea.conf" = {
         source = ../../modules/services/server/fail2ban/filter/gitea.conf;
         mode = "0444";
@@ -80,6 +84,12 @@
            findtime = "15m";
         };
         jails = {
+            open-webui = ''
+              enabled = true
+              filter = open-webui
+              backend = systemd
+              action = iptables-allports
+            '';
             gitea = ''
               enabled = true
               filter = gitea
diff --git a/modules/services/server/default.nix b/modules/services/server/default.nix
index 1770bd0..a907c01 100644
--- a/modules/services/server/default.nix
+++ b/modules/services/server/default.nix
@@ -18,7 +18,7 @@
   ./matrix.nix
   ./coturn.nix
   ./jitsi.nix
-  #./ollama.nix
+  ./ollama.nix
 ]
 
 # picom, polybar and sxhkd are pulled from desktop module
diff --git a/modules/services/server/fail2ban/filter/open-webui.conf b/modules/services/server/fail2ban/filter/open-webui.conf
new file mode 100644
index 0000000..21410fd
--- /dev/null
+++ b/modules/services/server/fail2ban/filter/open-webui.conf
@@ -0,0 +1,4 @@
+[Definition]
+failregex =  <HOST> - .*(401 Unauthorized|invalid credentials|Attempted access of unknown user).*
+ignoreregex =
+journalmatch = _SYSTEMD_UNIT=podman-open-webui.service + _COMM=podman-open-webui
diff --git a/modules/services/server/ollama.nix b/modules/services/server/ollama.nix
index 926ac2e..cce9acd 100644
--- a/modules/services/server/ollama.nix
+++ b/modules/services/server/ollama.nix
@@ -4,20 +4,25 @@ let
   ollamahostname = "llm.kabtop.de";
 in
 {
-    services.ollama = {
-        enable = true;
-        listenAddress = "127.0.0.1:11434";
-    };
+  virtualisation.oci-containers.containers."open-webui" = {
+    autoStart = true;
+    image = "ghcr.io/open-webui/open-webui:ollama";
+    volumes = [
+      "/var/lib/open-webui:/app/backend/data"
+    ];
+    hostname = "open-webui";
+    ports = [ "8081:8080" ];
+  };
 
-    services.nginx = {
-        virtualHosts = {
-            ollamahostname = {
-                enableACME = true;
-                forceSSL = true;
-                listen = [ {
-                    addr = "127.0.0.1"; port = 11434;
-                } ];
-            };
-        };
+  services = {
+    nginx = {
+      virtualHosts = {
+          ${ollamahostname} = {
+              enableACME = true;
+              forceSSL = true;
+              locations."/".proxyPass = "http://localhost:8081";
+          };
+      };
     };
+  };
 }