service: ollama + open-webui

hosts/server_big/default.nix

@@ -40,6 +40,10 @@
 
   environment = {
     etc = {
+      "fail2ban/filter.d/open-webui.conf" = {
+        source = ../../modules/services/server/fail2ban/filter/open-webui.conf;
+        mode = "0444";
+      };
       "fail2ban/filter.d/gitea.conf" = {
         source = ../../modules/services/server/fail2ban/filter/gitea.conf;
         mode = "0444";
@@ -80,6 +84,12 @@
            findtime = "15m";
         };
         jails = {
+            open-webui = ''
+              enabled = true
+              filter = open-webui
+              backend = systemd
+              action = iptables-allports
+            '';
             gitea = ''
               enabled = true
               filter = gitea

modules/services/server/default.nix

@@ -18,7 +18,7 @@
   ./matrix.nix
   ./coturn.nix
   ./jitsi.nix
-  #./ollama.nix
+  ./ollama.nix
 ]
 
 # picom, polybar and sxhkd are pulled from desktop module

modules/services/server/fail2ban/filter/gitea.conf

@@ -1,5 +1,4 @@
 [Definition]
 failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
 ignoreregex =
-#journalmatch = _SYSTEMD_UNIT=gitea.servie
-journalmatch = 
+journalmatch = _SYSTEMD_UNIT=gitea.service + _COMM=gitea

modules/services/server/fail2ban/filter/open-webui.conf

@@ -0,0 +1,4 @@
+[Definition]
+failregex =  <HOST> - .*(401 Unauthorized|invalid credentials|Attempted access of unknown user).*
+ignoreregex =
+journalmatch = _SYSTEMD_UNIT=podman-open-webui.service + _COMM=podman-open-webui

modules/services/server/ollama.nix

@@ -4,20 +4,25 @@ let
   ollamahostname = "llm.kabtop.de";
 in
 {
-    services.ollama = {
-        enable = true;
-        listenAddress = "127.0.0.1:11434";
-    };
+  virtualisation.oci-containers.containers."open-webui" = {
+    autoStart = true;
+    image = "ghcr.io/open-webui/open-webui:ollama";
+    volumes = [
+      "/var/lib/open-webui:/app/backend/data"
+    ];
+    hostname = "open-webui";
+    ports = [ "8081:8080" ];
+  };
 
-    services.nginx = {
-        virtualHosts = {
-            ollamahostname = {
-                enableACME = true;
-                forceSSL = true;
-                listen = [ {
-                    addr = "127.0.0.1"; port = 11434;
-                } ];
-            };
-        };
+  services = {
+    nginx = {
+      virtualHosts = {
+          ${ollamahostname} = {
+              enableACME = true;
+              forceSSL = true;
+              locations."/".proxyPass = "http://localhost:8081";
+          };
+      };
     };
+  };
 }