desko: make ollama visible to my wireguard devices

hosts/by-name/desko/default.nix

@@ -4,6 +4,10 @@
     ./fs.nix
   ];
 
+  # firewall has to be open to allow clients to use services hosted on this device,
+  # like `ollama`
+  sane.ports.openFirewall = true;
+
   # sane.programs.devPkgs.enableFor.user.colin = true;
   # sane.guest.enable = true;
 

modules/services/ollama.nix

@@ -84,9 +84,10 @@ in
     services.ollama.user = "ollama";
     services.ollama.group = "ollama";
     services.ollama.models = models;
+    services.ollama.host = "0.0.0.0";  # TODO: specify specifically 127.0.0.1 and 10.0.10.22
 
     # these acceleration settings are relevant to `desko`.
-    services.ollama.acceleration = lib.mkIf config.hardware.amdgpu.opencl.enable "rocm";  # AMD GPU acceleration (achieves the same as `nixpkgs.config.rocmSupport = true` but just for ollama)
+    services.ollama.acceleration = lib.mkIf config.hardware.amdgpu.opencl.enable "rocm";  # AMD GPU acceleration (achieves the same as `nixpkgs.config.rocmSupport = true` but just for ollama (the global toggle rebuilds the world))
     services.ollama.rocmOverrideGfx = "10.1.0";  #< `nix-shell -p "rocmPackages.rocminfo" --run "rocminfo" | grep "gfx"`  (e.g. gfx1010)
     # services.ollama.environmentVariables.HCC_AMDGPU_TARGET = "gfx1010";  # seems to be unnecessary
 
@@ -101,6 +102,15 @@ in
     # `ollama run` connects to the ollama service over IP,
     # but other than that networking isn't required for anything but downloading models.
     systemd.services.ollama.serviceConfig.IPAddressDeny = "any";
-    systemd.services.ollama.serviceConfig.IPAddressAllow = "127.0.0.1";
+    systemd.services.ollama.serviceConfig.IPAddressAllow = [
+      "10.0.10.0/24"
+      "127.0.0.1"
+    ];
+
+    sane.ports.ports."11434" = {
+      protocol = [ "tcp" ];
+      visibleTo.lan = true;  #< TODO: restrict to just wireguard clients
+      description = "colin-ollama";
+    };
   };
 }