From 309afebf175c6c5e007fab204ea1d4b2295789f7 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Mon, 19 Jan 2026 20:15:43 +0000
Subject: [PATCH] add ollama-api ingress accessible only locally to allow
 claude code [ci skip]

---
 modules/kubernetes/ollama/main.tf | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/modules/kubernetes/ollama/main.tf b/modules/kubernetes/ollama/main.tf
index 7d5bd73a..fac512e5 100644
--- a/modules/kubernetes/ollama/main.tf
+++ b/modules/kubernetes/ollama/main.tf
@@ -145,7 +145,7 @@ resource "kubernetes_service" "ollama" {
   }
 }
 
-# Allow ollama to be connected to from external apps
+# Allow ollama to be connected to from external apps (internal LAN only)
 module "ollama-ingress" {
   source                  = "../ingress_factory"
   namespace               = kubernetes_namespace.ollama.metadata[0].name
@@ -158,6 +158,20 @@ module "ollama-ingress" {
   port                    = 11434
 }
 
+# Ollama API ingress for Claude Code access (restricted to LAN/VPN)
+module "ollama-api-ingress" {
+  source                  = "../ingress_factory"
+  namespace               = kubernetes_namespace.ollama.metadata[0].name
+  name                    = "ollama-api"
+  service_name            = "ollama"
+  root_domain             = "viktorbarzin.lan"
+  tls_secret_name         = var.tls_secret_name
+  allow_local_access_only = true # Restricts to 10.0.0.0/8, 192.168.1.0/24
+  ssl_redirect            = false
+  port                    = 11434
+  proxy_timeout           = 300 # Longer timeout for model inference
+}
+
 # Web UI
 resource "kubernetes_deployment" "ollama-ui" {
   metadata {