From 2da8f22d2da53111aa31a0246ed83f7ad55758e8 Mon Sep 17 00:00:00 2001
From: "Chris (wolcen) Thompson" <chris@agaric.coop>
Date: Sat, 31 May 2025 17:50:40 -0400
Subject: [PATCH] Allow access to ollama from VPN servers

---
 hosts/default/configuration.nix | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/hosts/default/configuration.nix b/hosts/default/configuration.nix
index 8004e5a..2348a66 100644
--- a/hosts/default/configuration.nix
+++ b/hosts/default/configuration.nix
@@ -195,6 +195,11 @@
     # if packets are still dropped, they will show up in dmesg
     logReversePathDrops = true;
     checkReversePath = "loose";
+    extraCommands = ''
+      # Enable connections to Ollama for VPN users:
+      iptables -t filter -I INPUT --protocol TCP --source 10.40.4.2/32 --destination 10.40.4.2 --dport 11434 -j ACCEPT
+      iptables -t filter -I INPUT --protocol TCP --source 10.0.7.0/24 --destination 10.40.4.2 --dport 11434 -j ACCEPT
+    '';
     # wireguard trips rpfilter up
     #extraCommands = ''
     #  ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN
@@ -375,6 +380,7 @@
     #environmentVariables = {
     #  HCC_AMDGPU_TARGET = "gfx1031"; # used to be necessary, but doesn't seem to anymore
     #};
+    host = "10.40.4.2"; # See also ip46tables update in firewall extracommands
     rocmOverrideGfx = "10.3.0";
   };
   system.activationScripts = {
@@ -395,8 +401,8 @@
 
             environment = {
               "TZ" = "America/New York";
-              "OLLAMA_API_BASE_URL" = "http://127.0.0.1:11434/api";
-              "OLLAMA_BASE_URL" = "http://127.0.0.1:11434";
+              "OLLAMA_API_BASE_URL" = "http://10.40.4.2:11434/api";
+              "OLLAMA_BASE_URL" = "http://10.40.4.2:11434";
               "WEBUI_URL" = "http://127.0.0.1:8080/";
             };