ai toggles

config/derek.nix

@@ -6,6 +6,9 @@
   ...
 }:
 let
+  derekUid = config.users.users.bearded_dragonn.uid;
+  openWebuiPort = config.services.open-webui.port;
+  sillytavernPort = config.services.sillytavern.port;
   enableForDerek = {
     enable = true;
     users = "bearded_dragonn";
@@ -36,8 +39,6 @@ in
   };
   services = {
     tailscale.enable = true;
-    open-webui.enable = lib.mkForce false;
-    ollama.enable = lib.mkForce false;
     sunshine = {
       enable = true;
       autoStart = false;
@@ -45,7 +46,23 @@ in
       openFirewall = true;
     };
   };
+  networking.nftables = {
+    enable = true;
+    tables = {
+      local-uid-block = {
+        family = "inet";
+        content = ''
+          chain output {
+            type filter hook output priority 0; policy accept;
+            meta skuid ${toString derekUid} ip daddr 127.0.0.1 tcp dport { ${toString openWebuiPort}, ${toString sillytavernPort} } drop
+            meta skuid ${toString derekUid} ip6 daddr ::1 tcp dport { ${toString openWebuiPort}, ${toString sillytavernPort} } drop
+          }
+        '';
+      };
+    };
+  };
   users.users.bearded_dragonn = {
+    uid = 1002;
     isNormalUser = true;
     createHome = true;
     hashedPasswordFile = lib.mkIf config.my.secureHost config.sops.secrets.derek-password.path;

config/jawz.nix

@@ -60,6 +60,7 @@ in
       "networkmanager"
       "scanner"
       "lp"
+      "ai"
       "piracy"
       "core"
       "glue"