diff --git a/machines/fry/default.nix b/machines/fry/default.nix
index eae09fa..7c4b447 100644
--- a/machines/fry/default.nix
+++ b/machines/fry/default.nix
@@ -9,4 +9,60 @@
   nix.distributedBuilds = lib.mkForce false;
 
   nix.gc.automatic = lib.mkForce false;
+
+  nixpkgs.config.rocmSupport = true;
+  services.ollama = {
+    enable = true;
+    acceleration = "rocm";
+    rocmOverrideGfx = "11.0.2";
+    host = "127.0.0.1";
+  };
+
+  services.open-webui = {
+    enable = true;
+    host = "127.0.0.1"; # nginx proxy
+    port = 12831;
+    environment = {
+      ANONYMIZED_TELEMETRY = "False";
+      DO_NOT_TRACK = "True";
+      SCARF_NO_ANALYTICS = "True";
+      OLLAMA_API_BASE_URL = "http://localhost:${toString config.services.ollama.port}";
+    };
+  };
+
+  # nginx
+  services.nginx = {
+    enable = true;
+    openFirewall = false; # All nginx services are internal
+    virtualHosts =
+      let
+        mkHost = external: config:
+          {
+            ${external} = {
+              useACMEHost = "fry.neet.dev"; # Use wildcard cert
+              forceSSL = true;
+              locations."/" = config;
+            };
+          };
+        mkVirtualHost = external: internal:
+          mkHost external {
+            proxyPass = internal;
+            proxyWebsockets = true;
+          };
+      in
+      lib.mkMerge [
+        (mkVirtualHost "chat.fry.neet.dev" "http://localhost:${toString config.services.open-webui.port}")
+      ];
+  };
+
+  # Get wildcard cert
+  security.acme.certs."fry.neet.dev" = {
+    dnsProvider = "digitalocean";
+    credentialsFile = "/run/agenix/digitalocean-dns-credentials";
+    extraDomainNames = [ "*.fry.neet.dev" ];
+    group = "nginx";
+    dnsResolver = "1.1.1.1:53";
+    dnsPropagationCheck = false; # sadly this erroneously fails
+  };
+  age.secrets.digitalocean-dns-credentials.file = ../../secrets/digitalocean-dns-credentials.age;
 }
diff --git a/machines/fry/properties.nix b/machines/fry/properties.nix
index 18734c8..c5eef13 100644
--- a/machines/fry/properties.nix
+++ b/machines/fry/properties.nix
@@ -7,6 +7,7 @@
 
   systemRoles = [
     "personal"
+    "dns-challenge"
   ];
 
   hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/Df5lG07Il7fizEgZR/T9bMlR0joESRJ7cqM9BkOyP";
diff --git a/machines/storage/s0/properties.nix b/machines/storage/s0/properties.nix
index 9d133c8..dc857da 100644
--- a/machines/storage/s0/properties.nix
+++ b/machines/storage/s0/properties.nix
@@ -17,6 +17,7 @@
     "media-server"
     "linkwarden"
     "outline"
+    "dns-challenge"
   ];
 
   hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
diff --git a/secrets/digitalocean-dns-credentials.age b/secrets/digitalocean-dns-credentials.age
index 5b83ebd..af1a992 100644
Binary files a/secrets/digitalocean-dns-credentials.age and b/secrets/digitalocean-dns-credentials.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 50c279e..3e85b1a 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -55,7 +55,7 @@ with roles;
   "librechat-env-file.age".publicKeys = librechat;
 
   # For ACME DNS Challenge
-  "digitalocean-dns-credentials.age".publicKeys = server;
+  "digitalocean-dns-credentials.age".publicKeys = dns-challenge;
 
   # Frigate (DVR)
   "frigate-credentials.age".publicKeys = frigate;