From f053c677e88113df82c2cad97c46bf9b72053e7b Mon Sep 17 00:00:00 2001
From: Zuckerberg <zuckerberg@neet.dev>
Date: Sat, 10 Jan 2026 23:00:10 -0800
Subject: [PATCH] Set up openwebui + ollama

---
 machines/fry/default.nix                 |  56 +++++++++++++++++++++++
 machines/fry/properties.nix              |   1 +
 machines/storage/s0/properties.nix       |   1 +
 secrets/digitalocean-dns-credentials.age | Bin 958 -> 738 bytes
 secrets/secrets.nix                      |   2 +-
 5 files changed, 59 insertions(+), 1 deletion(-)

diff --git a/machines/fry/default.nix b/machines/fry/default.nix
index eae09fa..7c4b447 100644
--- a/machines/fry/default.nix
+++ b/machines/fry/default.nix
@@ -9,4 +9,60 @@
   nix.distributedBuilds = lib.mkForce false;
 
   nix.gc.automatic = lib.mkForce false;
+
+  nixpkgs.config.rocmSupport = true;
+  services.ollama = {
+    enable = true;
+    acceleration = "rocm";
+    rocmOverrideGfx = "11.0.2";
+    host = "127.0.0.1";
+  };
+
+  services.open-webui = {
+    enable = true;
+    host = "127.0.0.1"; # nginx proxy
+    port = 12831;
+    environment = {
+      ANONYMIZED_TELEMETRY = "False";
+      DO_NOT_TRACK = "True";
+      SCARF_NO_ANALYTICS = "True";
+      OLLAMA_API_BASE_URL = "http://localhost:${toString config.services.ollama.port}";
+    };
+  };
+
+  # nginx
+  services.nginx = {
+    enable = true;
+    openFirewall = false; # All nginx services are internal
+    virtualHosts =
+      let
+        mkHost = external: config:
+          {
+            ${external} = {
+              useACMEHost = "fry.neet.dev"; # Use wildcard cert
+              forceSSL = true;
+              locations."/" = config;
+            };
+          };
+        mkVirtualHost = external: internal:
+          mkHost external {
+            proxyPass = internal;
+            proxyWebsockets = true;
+          };
+      in
+      lib.mkMerge [
+        (mkVirtualHost "chat.fry.neet.dev" "http://localhost:${toString config.services.open-webui.port}")
+      ];
+  };
+
+  # Get wildcard cert
+  security.acme.certs."fry.neet.dev" = {
+    dnsProvider = "digitalocean";
+    credentialsFile = "/run/agenix/digitalocean-dns-credentials";
+    extraDomainNames = [ "*.fry.neet.dev" ];
+    group = "nginx";
+    dnsResolver = "1.1.1.1:53";
+    dnsPropagationCheck = false; # sadly this erroneously fails
+  };
+  age.secrets.digitalocean-dns-credentials.file = ../../secrets/digitalocean-dns-credentials.age;
 }
diff --git a/machines/fry/properties.nix b/machines/fry/properties.nix
index 18734c8..c5eef13 100644
--- a/machines/fry/properties.nix
+++ b/machines/fry/properties.nix
@@ -7,6 +7,7 @@
 
   systemRoles = [
     "personal"
+    "dns-challenge"
   ];
 
   hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/Df5lG07Il7fizEgZR/T9bMlR0joESRJ7cqM9BkOyP";
diff --git a/machines/storage/s0/properties.nix b/machines/storage/s0/properties.nix
index 9d133c8..dc857da 100644
--- a/machines/storage/s0/properties.nix
+++ b/machines/storage/s0/properties.nix
@@ -17,6 +17,7 @@
     "media-server"
     "linkwarden"
     "outline"
+    "dns-challenge"
   ];
 
   hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
diff --git a/secrets/digitalocean-dns-credentials.age b/secrets/digitalocean-dns-credentials.age
index 5b83ebdea4cb33e1edca170488d24aa5e0b790fc..af1a992148d4e18f909e793c856f6c491b5df0a0 100644
GIT binary patch
delta 674
zcmdnT{)lygYFwdfQl@XZg0G`Xu6txvqFZWaRc?4yK}2SnxxapHfmv0BuVJBOl9_LY
zbGT1Yc4&4om$7SlMzTq6d48Hjj=O7AkcoScWs;F$V2W|5X|iQ#K#9Ita8PbUj=N>#
z<akDjFqd*?k3i3~QiEd4M9(Z|cW=W2<BDL{(zLWxUt^ETDsBHP$252Cir{3fAm_jW
zpY+s{yaF$6%Zh+fHxm~#Q!gJMPh(%NK;O(%<4VUIj}+%%-}J!AXBoxolijk*@=c2U
ze9ZFo9h1$B%Zj{mz0!(I%*stI!%DJT6T`iV0xH7G^Nj+zJc_bCj19|uDueP06O&2;
ziZb1Ez4LN2D#EfXyvs~dONt8o!pnlaQq3K?bnO(1i!*dnQ;bYa4J{SQjq^$^(iKb$
zJwo*J(!!iF^9%};lk$A(^>foIQ$w;m^K!l1v;&h}{Yx@kGb;*>!+p83yfO>2(_JzG
zqoRz%GTn2`e6w?md~?F9!t+up4P4wZT*JdH^3yz1g38gYOD!ubOG{TMOw28DPRT3K
zH_ngJ&&v-i4D>N}cXbW3EH}+hN%73jil`3?GBC(2Pt7*qD)RQNbP7!=sx0%=F4A{&
z39rfwFVFVyjP&*@b~6b}^-f9ga|%pO)y_!f($&>fFwb!;Ei3gXu1wL-E^-SC%q@#F
z$OtwI&MZhw@zKt%s0t_u*3ZgK^2sUYx{&_1&pz)3OQXAL(51#ppLcOzS^D%*qGCd<
zM3#i%8LswO49hhx@h?z57$)wx=J!=qdrsAEY2l2JM-LbNKmGY;<Z)$_H#;p)buDgm
yiEdKbW3}%6x)(2wTz^|zTECI!T4>3A5mtr+f1l-fY1F>YjH$QjZJsZn%nJbf1oL+Q

delta 877
zcmaFFx{rN=YJIp<h@nThf`yU0c9n5xN=9i}m~&2Kv7@JtV`*}sWm<rzafErkv4^pR
zX{MQfj;TvJmv2C5a&dXNacH_pra`7tRi<g8Nt#b`l1rIek%_N)WR|B>a9B}Tn5DTR
zm#&>cadC!jYKoDmsiCEUnPZ5Ne!4<MiNCvfPPwH)S-o+Rk!e6?Xo+!wf4YlLZdh)K
zv43fPL}gJ#zEMg>fpb1rsClJRo@1^_s;i}=v%6(#X-;-fcto&&roL&ZN3d~KQgWt&
zhi^oBenvXFbww5?7TW0wx#dZoMQ&!Mm45CSIr@H{LGD2n5tXjy0jB!($*D=+*%iL-
zejYACuG!_;ToI8LWq!q>g+;kup{a(R>6RAZDOt`=B~?W^er{P#DXCfR?*1VuVL3j&
z=+<Qf6d2}}E2IV_<~dfmgqdaKc$T<_8<*r(WmlDXW|>!prxt`4gm@L@qz8w4mM6Lt
zb7`9-Tb5UN6lG=R24$G1m8NKWdHO_{ha~Ig2L<bgrAHJdR|N(c=UAp07Ek;r9_|s5
zSz=n?pX^&1=;Uo&8DU(NZ0KK{QCSvh5NTH6=$UI-=9(N8TIrmg%;n`%9G0q|8B~>M
z85ZD_X6$WVWtI_SQC{Y3>0#>YUr=1&9v13s?3+|pJ~^IIJiIhGAf>pV&?m4eD<Cb@
zG1)x8H!>|N#~{z$B-Pa?(XGNcAfq_4syxUbnaj<qxH2j$D7iq})6%FkF+bNg#63OC
z(kmdj#K6@k-#I1O$*D5g-y|g~eezjG@%j=M-->MilDw+SQ1?9lz+xY_!cuSNq-0-{
zG?Sumuh4Q!Bg=rOpv<81Y_7Ztx4hK+yr}SS56_5l{czuGqa0`79Mi;*{FGwfsJu|;
z$a3=_{m}fBY%X10U4`WAsC-8k(+uZqSO4;~D$fGns8Vms$dE|OBwz1j_Xy*P<a(b{
zLsw^ik8-Ycp%d2$i0QvrW`6bEqM8}6cKxZ6xIfpT{egtHtCkzDci^ngH&_-WzmJ$*
zt#x(rmju6n`lt4{<UhaoU6yib;oW!K`M*rPjipasuHP7RbY;ioLw7XVwqE~W-^%D2
gx=Q-vKaMvu|1mP%s<Zg1YIU5Ov+Dlu<T;v;06T~|ng9R*

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 50c279e..3e85b1a 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -55,7 +55,7 @@ with roles;
   "librechat-env-file.age".publicKeys = librechat;
 
   # For ACME DNS Challenge
-  "digitalocean-dns-credentials.age".publicKeys = server;
+  "digitalocean-dns-credentials.age".publicKeys = dns-challenge;
 
   # Frigate (DVR)
   "frigate-credentials.age".publicKeys = frigate;