diff --git a/config/derek.nix b/config/derek.nix
index dd68196..9cb89b3 100644
--- a/config/derek.nix
+++ b/config/derek.nix
@@ -6,6 +6,9 @@
   ...
 }:
 let
+  derekUid = config.users.users.bearded_dragonn.uid;
+  openWebuiPort = config.services.open-webui.port;
+  sillytavernPort = config.services.sillytavern.port;
   enableForDerek = {
     enable = true;
     users = "bearded_dragonn";
@@ -36,8 +39,6 @@ in
   };
   services = {
     tailscale.enable = true;
-    open-webui.enable = lib.mkForce false;
-    ollama.enable = lib.mkForce false;
     sunshine = {
       enable = true;
       autoStart = false;
@@ -45,7 +46,23 @@ in
       openFirewall = true;
     };
   };
+  networking.nftables = {
+    enable = true;
+    tables = {
+      local-uid-block = {
+        family = "inet";
+        content = ''
+          chain output {
+            type filter hook output priority 0; policy accept;
+            meta skuid ${toString derekUid} ip daddr 127.0.0.1 tcp dport { ${toString openWebuiPort}, ${toString sillytavernPort} } drop
+            meta skuid ${toString derekUid} ip6 daddr ::1 tcp dport { ${toString openWebuiPort}, ${toString sillytavernPort} } drop
+          }
+        '';
+      };
+    };
+  };
   users.users.bearded_dragonn = {
+    uid = 1002;
     isNormalUser = true;
     createHome = true;
     hashedPasswordFile = lib.mkIf config.my.secureHost config.sops.secrets.derek-password.path;
diff --git a/config/jawz.nix b/config/jawz.nix
index 2284eb2..fd33b82 100644
--- a/config/jawz.nix
+++ b/config/jawz.nix
@@ -60,6 +60,7 @@ in
       "networkmanager"
       "scanner"
       "lp"
+      "ai"
       "piracy"
       "core"
       "glue"
diff --git a/hosts/workstation/configuration.nix b/hosts/workstation/configuration.nix
index 83fd9f5..366c46a 100644
--- a/hosts/workstation/configuration.nix
+++ b/hosts/workstation/configuration.nix
@@ -58,6 +58,8 @@ in
       allowedTCPPorts = [
         6674 # ns-usbloader
         8384 # syncthing
+        config.services.open-webui.port
+        config.services.sillytavern.port
       ];
       allowedTCPPortRanges = [
         {
@@ -67,19 +69,22 @@ in
       ];
     };
   };
-  users.users.jawz.packages = [
-    (pkgs.google-cloud-sdk.withExtraComponents [
-      pkgs.google-cloud-sdk.components.gke-gcloud-auth-plugin
-    ])
-  ]
-  ++ builtins.attrValues {
-    inherit (pkgs)
-      distrobox # install packages from other os
-      gocryptfs # encrypted filesystem! shhh!!!
-      vcsi # video thumbnails for torrents, can I replace it with ^?
-      keypunch # practice typing
-      google-cloud-sdk-gce
-      ;
+  users = {
+    groups.ai = { };
+    users.jawz.packages = [
+      (pkgs.google-cloud-sdk.withExtraComponents [
+        pkgs.google-cloud-sdk.components.gke-gcloud-auth-plugin
+      ])
+    ]
+    ++ builtins.attrValues {
+      inherit (pkgs)
+        distrobox # install packages from other os
+        gocryptfs # encrypted filesystem! shhh!!!
+        vcsi # video thumbnails for torrents, can I replace it with ^?
+        keypunch # practice typing
+        google-cloud-sdk-gce
+        ;
+    };
   };
   environment = {
     pathsToLink = [ "share/thumbnailers" ];
@@ -129,7 +134,11 @@ in
   ];
   services = {
     flatpak.enable = true;
-    open-webui.enable = true;
+    open-webui = {
+      enable = true;
+      port = 2345;
+      host = config.my.ips.workstation;
+    };
     scx = {
       enable = true;
       scheduler = "scx_lavd";
@@ -146,6 +155,15 @@ in
       enable = true;
       acceleration = "cuda";
       models = "/srv/ai/ollama";
+      user = "ollama";
+      group = "ai";
+    };
+    sillytavern = {
+      enable = true;
+      group = "ai";
+      listen = true;
+      port = 9324;
+      listenAddressIPv4 = config.my.ips.workstation;
     };
   };
 }