{flake, ...}: let inherit (flake.config.people) user0; inherit (flake.config.people.user.${user0}) domain; inherit (flake.config.system.device) server wildcard; inherit (flake.config.service.instance) ollama acme; localhost = wildcard.ip.address0; host = "${ollama.subdomain}.${domain.url0}"; in { services = { ollama = { acceleration = false; enable = true; group = ollama.name; host = "http://${localhost}"; port = ollama.ports.port1; user = ollama.name; }; open-webui = { enable = true; host = localhost; port = ollama.ports.port0; environment = { ENABLE_OLLAMA_API = "True"; ANONYMIZED_TELEMETRY = "False"; DO_NOT_TRACK = "True"; SCARF_NO_ANALYTICS = "True"; OLLAMA_BASE_URL = "http://${localhost}:${toString ollama.ports.port1}"; WEBUI_AUTH = "True"; }; }; # caddy = { # virtualHosts = { # ${host} = { # extraConfig = '' # reverse_proxy ${localhost}:${toString ports.port0} # tls ${ollama.ssl.cert} ${ollama.ssl.key} # ''; # }; # }; # }; nginx = { enable = true; virtualHosts.${host} = { onlySSL = true; sslCertificate = ollama.ssl.cert; sslCertificateKey = ollama.ssl.key; listen = [ { addr = localhost; port = 4443; ssl = true; } ]; locations."/" = { proxyPass = "http://${localhost}:${toString ollama.ports.port0}"; extraConfig = '' proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; ''; }; }; }; }; fileSystems."/var/lib/${ollama.name}" = { device = ollama.paths.path0; fsType = "none"; options = ["bind"]; depends = [server.storage0.mount]; }; systemd.tmpfiles.rules = [ "Z ${ollama.paths.path0} 0755 ${ollama.name} ${ollama.name} -" "Z ${acme.paths.path0}/${host} 0755 ${ollama.name} ${ollama.name} -" ]; networking = { firewall = { allowedTCPPorts = [ ollama.ports.port0 ollama.ports.port1 ]; }; }; }