From 6170ae32b4ca86a17591837e69a2f5b20595f1d6 Mon Sep 17 00:00:00 2001
From: "RingOfStorms (Joshua Bell)" <ringofstorms@gmail.com>
Date: Thu, 21 Aug 2025 11:37:23 -0500
Subject: [PATCH] openwebui test

---
 common/_services/forejo.nix          |  0
 common/_services/librechat.nix       |  0
 hosts/h001/containers/default.nix    |  1 +
 hosts/h001/containers/open-webui.nix | 86 ++++++++++++++++++++++++++++
 4 files changed, 87 insertions(+)
 delete mode 100644 common/_services/forejo.nix
 delete mode 100644 common/_services/librechat.nix
 create mode 100644 hosts/h001/containers/open-webui.nix

diff --git a/common/_services/forejo.nix b/common/_services/forejo.nix
deleted file mode 100644
index e69de29..0000000
diff --git a/common/_services/librechat.nix b/common/_services/librechat.nix
deleted file mode 100644
index e69de29..0000000
diff --git a/hosts/h001/containers/default.nix b/hosts/h001/containers/default.nix
index eeb0518..c968bc5 100644
--- a/hosts/h001/containers/default.nix
+++ b/hosts/h001/containers/default.nix
@@ -12,6 +12,7 @@ in
     ./opengist.nix
     ./homarr.nix
     ./zitadel.nix
+    ./open-webui.nix
   ];
 
   config = {
diff --git a/hosts/h001/containers/open-webui.nix b/hosts/h001/containers/open-webui.nix
new file mode 100644
index 0000000..51738f2
--- /dev/null
+++ b/hosts/h001/containers/open-webui.nix
@@ -0,0 +1,86 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  name = "open-webui";
+
+  hostAddress = "10.0.0.1";
+  containerAddress = "10.0.0.4";
+  hostAddress6 = "fc00::1";
+  containerAddress6 = "fc00::4";
+in
+{
+  options = { };
+  config = {
+    services.nginx.virtualHosts."chat.joshuabell.xyz" = {
+      locations = {
+        "/" = {
+          proxyWebsockets = true;
+          recommendedProxySettings = true;
+          proxyPass = "http://${containerAddress}:8080";
+          extraConfig = ''
+            proxy_set_header X-Forwarded-Proto https;
+          '';
+        };
+      };
+    };
+
+    containers.${name} = {
+      # ephemeral = true; # Trying out a non ephemeral container setup...
+      autoStart = true;
+      privateNetwork = true;
+      hostAddress = hostAddress;
+      localAddress = containerAddress;
+      hostAddress6 = hostAddress6;
+      localAddress6 = containerAddress6;
+      config =
+        { config, pkgs, ... }:
+        {
+          system.stateVersion = "25.05";
+
+          networking = {
+            firewall = {
+              enable = true;
+            };
+            # Use systemd-resolved inside the container
+            # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+            useHostResolvConf = lib.mkForce false;
+          };
+          services.resolved.enable = true;
+
+          services.open-webui = {
+            enable = true;
+            port = 8080;
+            host = "::";
+            openFirewall = true;
+            environment = {
+              # Declarative config, we don't use admin panel for anything
+              ENABLE_PERSISTENT_CONFIG = false;
+              ENABLE_OAUTH_PERSISTENT_CONFIG = false;
+
+              WEBUI_URL = "https://chat.joshuabell.xyz";
+              CUSTOM_NAME = "Josh AI";
+              ENV = "prod";
+
+              ENABLE_SIGNUP = false;
+              ENABLE_LOGIN_FORM = false;
+              ENABLE_OAUTH_SIGNUP = true;
+              WEBUI_SESSION_COOKIE_SAME_SITE = "lax";
+              # OAUTH_SUB_CLAIM = "";
+              # OAUTH_UPDATE_PICTURE_ON_LOGIN = true;
+              # OAUTH_PICTURE_CLAIM = "";
+              # WEBUI_AUTH_TRUSTED_EMAIL_HEADER
+              OAUTH_CLIENT_ID = "334366065716953091";
+              OAUTH_CLIENT_SECRET = "";
+              OPENID_PROVIDER_URL = "https://sso.joshuabell.xyz/.well-known/openid-configuration";
+              # OAUTH_PROVIDER_NAME = "";
+              # OAUTH_SCOPES = "";
+              # OPENID_REDIRECT_URI = "https://chat.joshuabell.xyz/oauth/oidc/callback";
+            };
+          };
+        };
+    };
+  };
+}