From 91771b7bef43f8bd67abbc95e5e9219b59b0ac12 Mon Sep 17 00:00:00 2001 From: Colin Date: Thu, 24 Jul 2025 01:20:14 +0000 Subject: [PATCH] desko: make ollama visible to my wireguard devices --- hosts/by-name/desko/default.nix | 4 ++++ modules/services/ollama.nix | 14 ++++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/hosts/by-name/desko/default.nix b/hosts/by-name/desko/default.nix index 561af5182..e9e59fc04 100644 --- a/hosts/by-name/desko/default.nix +++ b/hosts/by-name/desko/default.nix @@ -4,6 +4,10 @@ ./fs.nix ]; + # firewall has to be open to allow clients to use services hosted on this device, + # like `ollama` + sane.ports.openFirewall = true; + # sane.programs.devPkgs.enableFor.user.colin = true; # sane.guest.enable = true; diff --git a/modules/services/ollama.nix b/modules/services/ollama.nix index f093bde97..90f501b02 100644 --- a/modules/services/ollama.nix +++ b/modules/services/ollama.nix @@ -84,9 +84,10 @@ in services.ollama.user = "ollama"; services.ollama.group = "ollama"; services.ollama.models = models; + services.ollama.host = "0.0.0.0"; # TODO: specify specifically 127.0.0.1 and 10.0.10.22 # these acceleration settings are relevant to `desko`. - services.ollama.acceleration = lib.mkIf config.hardware.amdgpu.opencl.enable "rocm"; # AMD GPU acceleration (achieves the same as `nixpkgs.config.rocmSupport = true` but just for ollama) + services.ollama.acceleration = lib.mkIf config.hardware.amdgpu.opencl.enable "rocm"; # AMD GPU acceleration (achieves the same as `nixpkgs.config.rocmSupport = true` but just for ollama (the global toggle rebuilds the world)) services.ollama.rocmOverrideGfx = "10.1.0"; #< `nix-shell -p "rocmPackages.rocminfo" --run "rocminfo" | grep "gfx"` (e.g. gfx1010) # services.ollama.environmentVariables.HCC_AMDGPU_TARGET = "gfx1010"; # seems to be unnecessary @@ -101,6 +102,15 @@ in # `ollama run` connects to the ollama service over IP, # but other than that networking isn't required for anything but downloading models. systemd.services.ollama.serviceConfig.IPAddressDeny = "any"; - systemd.services.ollama.serviceConfig.IPAddressAllow = "127.0.0.1"; + systemd.services.ollama.serviceConfig.IPAddressAllow = [ + "10.0.10.0/24" + "127.0.0.1" + ]; + + sane.ports.ports."11434" = { + protocol = [ "tcp" ]; + visibleTo.lan = true; #< TODO: restrict to just wireguard clients + description = "colin-ollama"; + }; }; }