From 3072389561f580d8327bb547b840442e25aff44b Mon Sep 17 00:00:00 2001
From: Patrick <patrick@failmail.dev>
Date: Sun, 9 Jun 2024 20:58:27 +0200
Subject: [PATCH] feat: open-webui host

---
 config/services/kanidm.nix                    |   3 ++
 config/services/ollama.nix                    |  28 ++++++++++++++++--
 .../elisabeth/secrets/kanidm/secrets.nix.age  | Bin 2080 -> 2094 bytes
 .../elisabeth/keys/elisabeth-ollama.age       |  16 ++++++++++
 .../elisabeth/keys/elisabeth-ollama.pub       |   1 +
 .../psks/elisabeth+elisabeth-ollama.age       |  15 ++++++++++
 6 files changed, 60 insertions(+), 3 deletions(-)
 create mode 100644 secrets/wireguard/elisabeth/keys/elisabeth-ollama.age
 create mode 100644 secrets/wireguard/elisabeth/keys/elisabeth-ollama.pub
 create mode 100644 secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-ollama.age

diff --git a/config/services/kanidm.nix b/config/services/kanidm.nix
index 408a38f..a491141 100644
--- a/config/services/kanidm.nix
+++ b/config/services/kanidm.nix
@@ -122,6 +122,7 @@ in {
 
       groups."rss.access" = {};
       groups."firefly.access" = {};
+      groups."ollama.access" = {};
       groups."adguardhome.access" = {
       };
       systems.oauth2.oauth2-proxy = {
@@ -131,12 +132,14 @@ in {
         scopeMaps."adguardhome.access" = ["openid" "email" "profile"];
         scopeMaps."rss.access" = ["openid" "email" "profile"];
         scopeMaps."firefly.access" = ["openid" "email" "profile"];
+        scopeMaps."ollama.access" = ["openid" "email" "profile"];
         preferShortUsername = true;
         claimMaps.groups = {
           joinType = "array";
           valuesByGroup."adguardhome.access" = ["adguardhome_access"];
           valuesByGroup."rss.access" = ["ttrss_access"];
           valuesByGroup."firefly.access" = ["firefly_access"];
+          valuesByGroup."ollama.access" = ["ollama_access"];
         };
       };
 
diff --git a/config/services/ollama.nix b/config/services/ollama.nix
index eafdf7b..006a2c9 100644
--- a/config/services/ollama.nix
+++ b/config/services/ollama.nix
@@ -1,10 +1,32 @@
-{
-  networking.firewall.allowedTCPPorts = [11434];
+{config, ...}: {
+  wireguard.elisabeth = {
+    client.via = "elisabeth";
+    firewallRuleForNode.elisabeth.allowedTCPPorts = [config.services.open-webui.port];
+  };
+  networking.firewall.allowedTCPPorts = [config.services.open-webui.port];
   services.ollama = {
-    listenAddress = "0.0.0.0:11434";
+    host = "localhost";
+    port = 3001;
     enable = true;
   };
+  services.open-webui = {
+    host = "0.0.0.0";
+    port = 3000;
+    enable = true;
+    environment = {
+      OLLAMA_BASE_URL = "http://localhost:3001";
+      ANONYMIZED_TELEMETRY = "False";
+      DO_NOT_TRACK = "True";
+      SCARF_NO_ANALYTICS = "True";
+      TRANSFORMERS_CACHE = "/var/lib/open-webui/cache/huggingface";
+      WEBUI_AUTH_TRUSTED_EMAIL_HEADER = "X-Email";
+    };
+  };
   environment.persistence."/state".directories = [
+    {
+      directory = "/var/lib/private/open-webui";
+      mode = "0700";
+    }
     {
       directory = "/var/lib/private/ollama";
       mode = "0700";
diff --git a/hosts/elisabeth/secrets/kanidm/secrets.nix.age b/hosts/elisabeth/secrets/kanidm/secrets.nix.age
index 8144c569a82404713c84688730c620d6a74fae43..9ed0d2b78ad0fe0207b545a0ea88a8e30ffde2e3 100644
GIT binary patch
delta 2068
zcmY+<`9Bnh0s!z-tVTtSY88!;5ObOtD>SDWa~O=dWHa}ed&XR*G@`JSqYII3S44~L
z+R(1vqehAjN72el$LJ}wAE_m)?C1UPe%Qa@`}v-6YjrCFT48h~3PU2&RV=h#q@tMd
z$qcbLMT#V=VKNpA9-k5^V=^MOU=lPFkU&*P^vNir0nLKxBUOAU0hB0C;FA&(_(G0B
z&P65DlHx^BC4vqHgv9_g8OAUTGy(zS5+oTU6A-O67{LrGn1M3z41A=PDrLZ}a<qj8
z#p)nzo&d%L8yOlVh$2J8Ljej6I#O$tG7%9bIi1d<<3&(YJV9l^VX+XhTu0Wiv2iM$
zDUz+{`~zb%66GmqAQ~c|OQ2#9SEEpC@O-u&N1=&nX1F@Rq!K{!x&*!)#)%hN^&%5q
z2vBH|iScAos9A22DA5#!QYxb3#9Y1wK}k%}@)AV?QlwHuW@8Pce_;QgMX1ynVzY&z
zf`}9vVgd$^At18YMw5(3(3#m<0>eNhVNrx6jE)b`Vk3kQt|gHrkxO*GW+6?E<*3<2
z9)}A<!J%xB#vtR9xG7pAPbxW<;NWGA03l@}6wjPxOqM`7QUX~`(n)1#p;U>)(WOMF
z%AyaI7&S66feOe_A-Q6_Mt~BDBSJ~~II>bK0a48wsxZ@}HVI5|U>$@kGm+!i@c%{j
z7;s?{orsqy0-9vNfLI`b8iWN(0lX|02yPG~vAjr{6`>O)X-rrP6h$<n8JJ9-m?_U>
z(9lejh6S+*(eX4g6{_MT#$k=BNTUX$RD%fseHPY4AxpVLUZRj<!N}xvs#1}hDWcJ+
zAgCFP03mS-o|Xv?g(*XYSfx}Dp)i7ZYCu?67?2o2;A9araSVk)2Paw~6h0lwP66vF
z3CI)!0ZI|_B{)bNGtwe~nE=xhuk?Mw8eym5hoVaD`c<Vd0@tH?Z^H9S(tvMC8^7dF
ztJ_AKj~5hQn!pVYJY$(u!zbm3kF7Rm9=vlT{P?L&w;_QZtBewf>GIS6KCK*{Oh3Jt
z+G9V_%L`Uw&xYzH*0E3sP_f8}0=j#7WQl-Be%+f9j<K}%Y<!qKhVKY^@ch#HFJIaE
zcJ6|iLT1YK#UYGS7h?l%Dhw81j7J&%)XtB?j@3T5H!so_N~#MAWXq1rYjd3iKm<|{
zb@BR9V^Hz$m~o|KZkyZ5+S;LqOo*;sXCA9x9@QBm$`1xu6>V_-%XfXd=z^nu_s)$e
zmMRQ$V%Lc;L+EoyKx-tb%&wmz-nLAD<~G=uPFtp2o7}e0zPZC2*yE--`k%8wYH8U(
zyL#!S+l*~0B?^;0FDt6>-dHp%KkGhHT)+{>V#sg&Jg#ggY`<HKb#`E8^k}7Rkl9lU
zkFI|IYOFQa`sr}WgO}062?YZ;c8_$=TzMA29r1;N?j9DzY9miGS>A${HLqLxg?Nsh
zb0&v>1l3qQ_;PpfduH!o<15~!4VoKk8W`t)+}04Bza<sYL|hlRq*l-1ZmK>8Sp)4Z
zJ6COu;vL|Od4JrdYVwK$tsm-K`$P6RUEaN&pA#glcdbRyb|-ib!-A;J*;bHVTb-R1
z;^Q88>}r))L))J5pl0{cS?}?(kO#%P8OxL*`&{OJQM?{l*HlyLgpF;i>n&PvTz;qe
z5#A@f+;6+%4y@nIHNiN0Q7PPWGBw11o)A3WUHI+ZZ_t5ncOY~2!y9=S^12J3!A%!m
z{FwcP5dOv*Giq0Sc-%g8-ZLlE{kDsL(f;c`6V0od8d|TGj6n@2PPjGZxXUicXop|#
zZ+<<Cf~DDix!+F5I30Ll8%fXW{W8k~#++N$1Y=V=JOUo$JUrci9ow-(Q)%hB3lkd~
zGwK@{p6&qvi#gohbuOl<s?v}BU8(QXYH7M{yH~h%_sVXEgXK#h!Ro==71c@2OO|rh
z+zo72+T(fqUz=>+<!v!+j?F|7r><Y4zI>Zqvm>;=vux$K<b0HCshIuO@+z}PpGwdB
z*7a$;t@3)|)KHZJr^p`dc1h7PUK;Nb`PQkh>s1%#^t5OG%GY^MnpXQMa`TXHYW-tv
z0T-sNN%J1f=;7<v+vcQH$d=7L(#^@;&Tcb>N};{3>QnmY`VP_s_+{TrTT0z;j{M{Y
z;$IJ(Y4PtUoBy+Gw(h|F(M_Wu?-KKe=k@mf7h71g-?djqo*+!O91czRXI`yGRdk;W
z-T97*IpCDrK7GZSeYi6fHaWQD>h4GCUA<UVZ!K~muBbcs(D&buY}dZ)FMY0y(oCMp
zJET*H?nUixZO_RP)^*<6{>J()R228q=qDnA;8FtrbAR#u&(aGqx1wttyaU~T`+0>s
z$apgNEO+H2QQ8^*^2*CL;^&(En}c4Jw)x^et@YY_aE&Wo6gPtEW~DC<_1)*%NrN9g
zUE?fRk>ba@YX9Y1lBh8qgG4{u`Z@D1*eE!(qQ0>8NpFip$lJ;ZPM-bH$YQ>I?6Yvh
z^Ny$XR%gcG!b9IEDmT3a@HJ#0aPB?3##6p7`ks7qy_55#<1+S#Y3xl~5iq3;*f*5)
zM{}R+=#Gf@55B)ox%KsMTA2E>0{uRuI=K{!lkJ1$OZ40Zm(tY!ud>qKv7Jv#H_ppr
zI!8P{7N5wK4L;hyX+<9GX9b){rgq6NQ$M3CyvWOa?6Gm@p`)o%!_EE-dPkume5)yH
k0x`MPUNy;?`J-pcwSCUZ+Wclm?b}h6hPi?YpyT_$0oJ~TIsgCw

delta 2037
zcmV<R2MYME5TFo{Ab&J@b2MjIMoDB%SY%>nNlP?mW?D`-aW7(dVrDO7S8Q=naaVFi
zZ(>O>V+u8HXI5@hOjj>XS#DNPHBnV{ZbCRwcQ$xZSxZM%dPGioPdGPoMMG0FYYHts
zAaH4REpRe5HXvA3QEOE}AVGFyFHmJ;bw@)*c1d|dGb?sYD@1QMR%2#ZI6`wsD|1j{
zQ)N|ALo0P~M`H?Fbxkj6QA2o7T1YT8F*S2jbWnL%WJhO7b}=<<NMvMWG&d_&T1z>2
zOGT4U0Tq8UICgb8b5eIzad<Rkc{xjET5D4<Sy6g4MR;;mM|DbSYif5^S21&WM`Q|R
zGHzCRb7(hlHD*UkMsRO+M`l$)G<R4lFjHY-axqatT4ZoSQ!+Jcc`ynsJ|J*ub}eu+
zH8vnMc5P5}Q6NDxaW`Ric3Cnsc41O0c1=b_WpPApXLV*abT4*rcXx1dQEqivOK(av
zXiicJX+lU$cS|u$Sx<0AN@Z3`YeG$HM|EO!H9}-zH%&J$PibyZb3$iRLuD|NPXQHw
zdUsTGV=y*NS6FyLcSLqkWpFSyP)jytMmTCRQ%H3*F-mG`W^iIOc{Vc&L~T`BQd3rW
zW^Hs=b!1C3H%2o-Q$<u^M>sDpK}>m6OG{=?a&bXPPD4csEj}P6A!;pWa%Ew2WgvD;
zO)4N{FCb%fQ(|sS3RpBjMNKkIHFrvXHfwKUaCb;Dcv*8uSyD-JOGt7^QBPxaD>F-Z
zOh!|AQ)W<ZX<BAgN<(UGMO9;TL{&F6Yj_GYQ+jtfRd!iKMNMl)a#?g|V|sLNOl2@=
zS5RRxWNvI?R&g>=cT!AvMngGRQe{qbV=qNbbWsW|EiE8PH(E+kWl(2$PGN6<FIO=#
zaWZ8uF>q5;D|1z4a%5sFZe=fQcQ-aqHFs4CE;_#ejd(F)Eu}1t@(>69$qFMr+Bu!^
z+p)m_T{Tvn$_-#1S8Ikt&vWtSUt_K*0+HomDbnMzaPz)_<{4I!<2PH03K^uVnVD?S
z10FW7?0p0^V4^X35=_yzODCd#35tFVMFiK~9ND%K6SSo}e}(Q0KG={Y$1ASrsEj~}
z|MRfYw$W9@xActa5Z&3^bstCRDF`Br`1!24*gJ<KH3x)TU9=vckxYLKWu<S5c*C3_
zxt_cpqoDcS#&XN=9?z4ws+UnM%SJ<ZrxD$F;XRzFX;9?vO*T2DWPZ$l>Dq<{?W(%?
zzk@z^?JkLQhbh$f(JV6zAm3<Qxx(A$j#oj~o|<=DHzcDQ?3`8w@*&o*eW)dgL}+uj
z)xTbU)2zOC*D|{R@9Ha5t4;Z?%+EtQH&450>r@12C#SZo-{Tn#ZrqfyLl#@Fo)<eL
z(d{X$X^D7hD_$3CI-<0HGHo&xy=E9Ajr7Sg#A4Yw3B)WV-a`(w5e7ZJ*&RufpY2#i
zfB2ycTNa_{KBgOMd0QAtji%(m908-Fs*`7VFn|x1fy<WFmhjzv^_i@iSJs{vy3bt#
zaKKXHph@&W8>5w7{K>maM77nhvo>A5$Z&TD&a`?-#M&F`)fXy%a0Iaq__q%}hvhN`
zaFZFbL*3#v-^L@y&IQ$;)GUwJPQ_#0;<j7do0V!dvgAQsH!L5<1)<FXHZ!f03@oFN
z-MV|x+>PTO!K>K!O|}X;Dfj1!-15y{vxhAi*Jmc_@vS^TUlRe-uxaij?8C8FT_EYV
zD)O$K$7uM;6BtN;!;7uHoTTv7z5fC_vNB`>6hr0`N=Mzz*&?aI_S;VquZ9a{-+g>_
zq@NvJ27ZIQ*QWGDnLT!}L!p3w(7OmH*Z0AXyGMx6aIq@b(;bZ$lNdfnOd1Cu{*v}?
z9^2T(*smD6t6&;S4g%&yD%B7MJ^GRfdw4F|?UMl+TL>zD&@Ww&27LqRO^y5G^o&P<
z0?0Vye)pHu99vp{5llaXEIMtdGLZ<t=1R4C3obD1?EQEFXBIOfSG7MbFGd_BIWA39
z%Wyryd}}V=^|~I7!KMD}Ck@~xqc$|iyKAx^C@Gc}81-o<AYLbbKVo8Q@q!G26Yxmr
zk2-HBanX@~Un8C+t~P#q5-W=J|Cr)Z-6*`;@;#p-Y+QPOQ&k+|g*IM{{=la2O%xD<
zToA<zO?vM}1sb76oI!KQu3~UulNKjYE%`En_7W<*YRE9i2V`=O8$DN^_NqWeGHc?&
zPr;Z_2UISrvdK>cgb<|?DlnN1UXnkP>M0~Gs+fm=CtrKB=nP!7N=X5IKJHToj5nH7
z0zAOkfNsx*V@e=3P<C^dc->ys<(if|kL%&mE5^C>^ew|~t{%X`_g<9#zs*U%^k1NL
zn7p@=kv26$KT2<TlnMfLu3V67HeUo-C~R_(YG7{Riw0$Lc!~GCvbSodpkWi|%kPi>
zSzx(;<i9SxRLkku1Dx?U%zZ@L#xg<VX7aV#{NLvz-%dKE>LAp3M-CdC<v~53&ol5s
z<R;Zux=+PoW;tO7WF863uPtt(#6)qex=K0AzwqE0lO}=;tL4h&TqcsxWSW%Wy0m+9
zI~Z385IcqSTF{e$kmn_ny)1cjyVZ2L;5=|#0BGJxQ6@~$1!t8Lp6(r%EPakhihWVk
z;jZt3N4LIu&9q!Si|EYEDxRyhqMGsTY^?C0S_OU~J(E#qT7S74?PF|r>IMX!-I`j;
T!)72y<KD_{>Q@C=&9oN5j4*h7

diff --git a/secrets/wireguard/elisabeth/keys/elisabeth-ollama.age b/secrets/wireguard/elisabeth/keys/elisabeth-ollama.age
new file mode 100644
index 0000000..042fc85
--- /dev/null
+++ b/secrets/wireguard/elisabeth/keys/elisabeth-ollama.age
@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> X25519 Fpotjtu7lksK7LzYZTkTP7OXF2etf6k/jAs3qT63pyg
+Az3CTRHiYmqI9mVSvt61WgbQa1Sw7tTI/GwuwGNm2Rk
+-> piv-p256 ZFgiIw AwwKW8KYhA3dsUgANUxvffEiFLOadwllahNrchfzQTfq
+AO08XTSUINWT5eY1EgPqHHSY/y0gsgszz3psNnGSauA
+-> piv-p256 XTQkUA AuxujxLf1wM1siHqnkbayQ6C4KZbsAzdUO/8dsiTRohe
+1AUfKkOngKRI4jPG820VihSIP5ms9jH8MvHlEBiwVAE
+-> piv-p256 ZFgiIw AqLEvSEzM5D4K/W67DVz7icte3mw5+FqFtBiv4Ba2xua
+mbrEOcAnkiXq1Phh1SlnTjDuhLma+4hqv8FMceymOzQ
+-> piv-p256 5vmPtQ AzENFlgqOyGbU/FXskgenHamZs/H+78mS9PWsYoXXqae
+pyx2IlIw+p+7dAUg5Ohj1cKxW/9S51LjR2A47aNgH0c
+-> AJ/nN^^b-grease P%To4qn; llf1 (\|f~06
+ROV54+I9IMrCY2DvOXDRsY4otebllTMp6ddWYA
+--- PGvDf7ZhjEQzcNDXVlDw4Qehrs/lg7hi22vu/2lo0N8
+{����r�yԝ_���{�f#ß�`M}є<i���d=��p�b�n���E��-
+�$th��:;.9�w�
\ No newline at end of file
diff --git a/secrets/wireguard/elisabeth/keys/elisabeth-ollama.pub b/secrets/wireguard/elisabeth/keys/elisabeth-ollama.pub
new file mode 100644
index 0000000..9010873
--- /dev/null
+++ b/secrets/wireguard/elisabeth/keys/elisabeth-ollama.pub
@@ -0,0 +1 @@
+wODUgMHl+qSCB8O1purynIY/AaPyIJ4kCFCEHmRedEk=
diff --git a/secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-ollama.age b/secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-ollama.age
new file mode 100644
index 0000000..8c7e563
--- /dev/null
+++ b/secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-ollama.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> X25519 809OJmSe9sRVNlpr7tsymq+N/N3RLwBggFHdew4p5lU
+ef/ZzFm1aqytRapx0iZilQyT9O/xuA97plZbz5LL5O4
+-> piv-p256 ZFgiIw Aowpy6rEm9eHFxEmwJ35I10linQONgIS13H/Nm0fi+j9
+rRiW2Y2V5kpmdqGjN72EyKe9nf5fQS4UrUqZAtshkx8
+-> piv-p256 XTQkUA AtkeDTc+jaagxDYjzJrSsHZTCF3KxpSTMU2ZMxuoawDG
+YDRFtbrl8QH5YHlTcBLBdxHzx+pqMXLtSSvd/FokSE4
+-> piv-p256 ZFgiIw ArgQyaNwkuKD1GVVGKmwcHq11pzcgGK9uJpvWFkQ1Zqy
+Jvue35/d/2CKV6qcVZIW2Q+LUp67CpcMUapfJQGqh84
+-> piv-p256 5vmPtQ AjMLgWeCMKLwl3205anSTdwYfQ5HG2pmZH5UOU8fnhi5
+BL+6ZYMBuakv2PZCzcb/W8+UCgGryY/uA3Z0NdMxcc8
+-> :`n-grease Iq:z[/t( c6Ca. j FSx5@D?
+uH1pwc6u0ytrAqS9cTXoD64rJBuosYo
+--- 5BCa7IK4dbXfsXiqMnBHBmLR/qAXbbyqaVRiWun5KJ4
+e�Fsf�B����h�`%��������8�C�;Q���n���َ�z���$�߅�̻�����R$�5��sKl�T�
\ No newline at end of file