diff --git a/config/services/kanidm.nix b/config/services/kanidm.nix
index 408a38f..a491141 100644
--- a/config/services/kanidm.nix
+++ b/config/services/kanidm.nix
@@ -122,6 +122,7 @@ in {
 
       groups."rss.access" = {};
       groups."firefly.access" = {};
+      groups."ollama.access" = {};
       groups."adguardhome.access" = {
       };
       systems.oauth2.oauth2-proxy = {
@@ -131,12 +132,14 @@ in {
         scopeMaps."adguardhome.access" = ["openid" "email" "profile"];
         scopeMaps."rss.access" = ["openid" "email" "profile"];
         scopeMaps."firefly.access" = ["openid" "email" "profile"];
+        scopeMaps."ollama.access" = ["openid" "email" "profile"];
         preferShortUsername = true;
         claimMaps.groups = {
           joinType = "array";
           valuesByGroup."adguardhome.access" = ["adguardhome_access"];
           valuesByGroup."rss.access" = ["ttrss_access"];
           valuesByGroup."firefly.access" = ["firefly_access"];
+          valuesByGroup."ollama.access" = ["ollama_access"];
         };
       };
 
diff --git a/config/services/ollama.nix b/config/services/ollama.nix
index eafdf7b..006a2c9 100644
--- a/config/services/ollama.nix
+++ b/config/services/ollama.nix
@@ -1,10 +1,32 @@
-{
-  networking.firewall.allowedTCPPorts = [11434];
+{config, ...}: {
+  wireguard.elisabeth = {
+    client.via = "elisabeth";
+    firewallRuleForNode.elisabeth.allowedTCPPorts = [config.services.open-webui.port];
+  };
+  networking.firewall.allowedTCPPorts = [config.services.open-webui.port];
   services.ollama = {
-    listenAddress = "0.0.0.0:11434";
+    host = "localhost";
+    port = 3001;
     enable = true;
   };
+  services.open-webui = {
+    host = "0.0.0.0";
+    port = 3000;
+    enable = true;
+    environment = {
+      OLLAMA_BASE_URL = "http://localhost:3001";
+      ANONYMIZED_TELEMETRY = "False";
+      DO_NOT_TRACK = "True";
+      SCARF_NO_ANALYTICS = "True";
+      TRANSFORMERS_CACHE = "/var/lib/open-webui/cache/huggingface";
+      WEBUI_AUTH_TRUSTED_EMAIL_HEADER = "X-Email";
+    };
+  };
   environment.persistence."/state".directories = [
+    {
+      directory = "/var/lib/private/open-webui";
+      mode = "0700";
+    }
     {
       directory = "/var/lib/private/ollama";
       mode = "0700";
diff --git a/hosts/elisabeth/secrets/kanidm/secrets.nix.age b/hosts/elisabeth/secrets/kanidm/secrets.nix.age
index 8144c56..9ed0d2b 100644
Binary files a/hosts/elisabeth/secrets/kanidm/secrets.nix.age and b/hosts/elisabeth/secrets/kanidm/secrets.nix.age differ
diff --git a/secrets/wireguard/elisabeth/keys/elisabeth-ollama.age b/secrets/wireguard/elisabeth/keys/elisabeth-ollama.age
new file mode 100644
index 0000000..042fc85
--- /dev/null
+++ b/secrets/wireguard/elisabeth/keys/elisabeth-ollama.age
@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> X25519 Fpotjtu7lksK7LzYZTkTP7OXF2etf6k/jAs3qT63pyg
+Az3CTRHiYmqI9mVSvt61WgbQa1Sw7tTI/GwuwGNm2Rk
+-> piv-p256 ZFgiIw AwwKW8KYhA3dsUgANUxvffEiFLOadwllahNrchfzQTfq
+AO08XTSUINWT5eY1EgPqHHSY/y0gsgszz3psNnGSauA
+-> piv-p256 XTQkUA AuxujxLf1wM1siHqnkbayQ6C4KZbsAzdUO/8dsiTRohe
+1AUfKkOngKRI4jPG820VihSIP5ms9jH8MvHlEBiwVAE
+-> piv-p256 ZFgiIw AqLEvSEzM5D4K/W67DVz7icte3mw5+FqFtBiv4Ba2xua
+mbrEOcAnkiXq1Phh1SlnTjDuhLma+4hqv8FMceymOzQ
+-> piv-p256 5vmPtQ AzENFlgqOyGbU/FXskgenHamZs/H+78mS9PWsYoXXqae
+pyx2IlIw+p+7dAUg5Ohj1cKxW/9S51LjR2A47aNgH0c
+-> AJ/nN^^b-grease P%To4qn; llf1 (\|f~06
+ROV54+I9IMrCY2DvOXDRsY4otebllTMp6ddWYA
+--- PGvDf7ZhjEQzcNDXVlDw4Qehrs/lg7hi22vu/2lo0N8
+{±ˆ¤›rëyÔ_½±³{f#ÃŸç`M}Ñ”<iö÷d=ÇÔp¾bÍnÿÂåEËé-
+¹$thòˆû:;.9ñw¬
\ No newline at end of file
diff --git a/secrets/wireguard/elisabeth/keys/elisabeth-ollama.pub b/secrets/wireguard/elisabeth/keys/elisabeth-ollama.pub
new file mode 100644
index 0000000..9010873
--- /dev/null
+++ b/secrets/wireguard/elisabeth/keys/elisabeth-ollama.pub
@@ -0,0 +1 @@
+wODUgMHl+qSCB8O1purynIY/AaPyIJ4kCFCEHmRedEk=
diff --git a/secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-ollama.age b/secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-ollama.age
new file mode 100644
index 0000000..8c7e563
--- /dev/null
+++ b/secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-ollama.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> X25519 809OJmSe9sRVNlpr7tsymq+N/N3RLwBggFHdew4p5lU
+ef/ZzFm1aqytRapx0iZilQyT9O/xuA97plZbz5LL5O4
+-> piv-p256 ZFgiIw Aowpy6rEm9eHFxEmwJ35I10linQONgIS13H/Nm0fi+j9
+rRiW2Y2V5kpmdqGjN72EyKe9nf5fQS4UrUqZAtshkx8
+-> piv-p256 XTQkUA AtkeDTc+jaagxDYjzJrSsHZTCF3KxpSTMU2ZMxuoawDG
+YDRFtbrl8QH5YHlTcBLBdxHzx+pqMXLtSSvd/FokSE4
+-> piv-p256 ZFgiIw ArgQyaNwkuKD1GVVGKmwcHq11pzcgGK9uJpvWFkQ1Zqy
+Jvue35/d/2CKV6qcVZIW2Q+LUp67CpcMUapfJQGqh84
+-> piv-p256 5vmPtQ AjMLgWeCMKLwl3205anSTdwYfQ5HG2pmZH5UOU8fnhi5
+BL+6ZYMBuakv2PZCzcb/W8+UCgGryY/uA3Z0NdMxcc8
+-> :`n-grease Iq:z[/t( c6Ca. j FSx5@D?
+uH1pwc6u0ytrAqS9cTXoD64rJBuosYo
+--- 5BCa7IK4dbXfsXiqMnBHBmLR/qAXbbyqaVRiWun5KJ4
+eõFsfáB„µ¿ìh·`%­ªÔŠñÄþ–8ÀCˆ;Q²™ên·ÀÙŽÐzÉÊ$ß…©Ì»¢‹¶ÉR$Ð5œÚsKl¾TÂ
\ No newline at end of file