Commit 24c6759c4972

Vincent Demeester <vincent@sbr.pm>
2026-01-06 14:51:03
feat(ollama): Expose Ollama via Traefik
- Configure Ollama on aomi to listen on all network interfaces (0.0.0.0:11434) - Add Traefik routes on rhea for ollama.sbr.pm and llm.sbr.pm - Models loaded: qwen2:1.5b (fast testing) and mistral:7b-instruct-q4_K_M (production) - Add ollama.sbr.pm DNS entry pointing to rhea (Traefik reverse proxy) - Add llm.sbr.pm as alias for ollama service This enables secure network access to local LLM infrastructure for AI experimentation and code assistance across the homelab. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Vincent Demeester <vincent@sbr.pm>
main
1 parent de57e1b
Changed files (4)
systems
aomi
extra.nix
common
services
dns
sbr.pm-gandi.nix
rhea
extra.nix
globals.nix
systems/aomi/extra.nix
@@ -58,7 +58,7 @@
     ollama = {
       enable = true;
       # acceleration = "cuda"; # no nvidia :D
-      host = "0.0.0.0";
+      host = "0.0.0.0"; # Listen on all interfaces for network access
       port = 11434;
       loadModels = [
         "qwen2:1.5b" # Small fast model for testing (2-4GB RAM, 25-30 tok/s)
systems/common/services/dns/sbr.pm-gandi.nix
@@ -19,9 +19,13 @@ baseZone
     jellyfin.A = [ "167.99.17.238" ];
     audiobookshelf.A = [ "167.99.17.238" ];
 
+    # Internal services accessible via VPN only
+    ollama.A = [ "10.100.0.50" ]; # rhea VPN IP
+
     # Service aliases
     music.A = [ "167.99.17.238" ]; # navidrome
     photos.A = [ "167.99.17.238" ]; # immich
     podcasts.A = [ "167.99.17.238" ]; # audiobookshelf
+    llm.A = [ "10.100.0.50" ]; # ollama (rhea VPN IP)
   };
 }
systems/rhea/extra.nix
@@ -79,7 +79,7 @@ in
     ../../modules/jellyfin-favorites-sync
   ];
 
-  # Age secrets: gandi.env + webdav + jellyfin + generated exportarr secrets
+  # Age secrets: gandi.env + webdav + jellyfin + ollama + generated exportarr secrets
   age.secrets = {
     "gandi.env" = {
       file = ../../secrets/rhea/gandi.env.age;
@@ -340,6 +340,11 @@ in
                   "links.sbr.pm"
                 ];
                 homepage = mkRouter "homepage" [ "homepage.sbr.pm" ];
+                # Ollama LLM service (VPN-only, no auth needed)
+                ollama = mkRouter "ollama" [
+                  "ollama.sbr.pm"
+                  "llm.sbr.pm"
+                ];
                 # Traefik dashboard
                 traefik-dashboard = {
                   rule = "Host(`traefik.sbr.pm`)";
@@ -363,6 +368,7 @@ in
                 homepage = mkService "http://${builtins.head globals.machines.aion.net.ips}:3001";
                 audiobookshelf = mkService "http://${builtins.head globals.machines.aion.net.ips}:13378";
                 lidarr = mkService "http://${builtins.head globals.machines.aion.net.ips}:8686";
+                ollama = mkService "http://${builtins.head globals.machines.aomi.net.ips}:11434";
               };
             middlewares =
               syncthingMiddlewares
globals.nix
@@ -555,5 +555,10 @@ _: {
     n8n.host = "rhea";
     paperless.host = "rhea";
     grafana.host = "rhea";
+    # Ollama LLM service on aomi (routed through rhea/traefik)
+    ollama = {
+      host = "rhea";
+      aliases = [ "llm" ];
+    };
   };
 }