From 02a366a78254f1f3d6797f1e0a559d2dcdd4e277 Mon Sep 17 00:00:00 2001
From: Ohad Livne <libohad-dev@proton.me>
Date: Wed, 12 Nov 2025 20:43:19 +0200
Subject: [PATCH 1/3] Create a dedicated script to import new models

---
 .local/bin/llm-import-model | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100755 .local/bin/llm-import-model

diff --git a/.local/bin/llm-import-model b/.local/bin/llm-import-model
new file mode 100755
index 0000000..ffd2c6c
--- /dev/null
+++ b/.local/bin/llm-import-model
@@ -0,0 +1,9 @@
+#! /usr/bin/bash
+
+set -euo pipefail
+IFS=$'\n\t'
+
+mkdir --parents ~/.local/share/ollama/
+pod_id=$(podman run --detach --rm --volume ~/.local/share/ollama/:/root/.ollama ollama:latest)
+podman exec --interactive --tty "${pod_id}" ollama pull "${1}"
+podman kill "${pod_id}"

From 8d131ea8beb423cbb14cfde75cfae53d3a50d221 Mon Sep 17 00:00:00 2001
From: Ohad Livne <libohad-dev@proton.me>
Date: Wed, 12 Nov 2025 20:43:55 +0200
Subject: [PATCH 2/3] Revoke unnecessary filesystem permissions for the server

---
 .config/containers/systemd/ollama.container | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.config/containers/systemd/ollama.container b/.config/containers/systemd/ollama.container
index 4c6b9e9..fc91619 100644
--- a/.config/containers/systemd/ollama.container
+++ b/.config/containers/systemd/ollama.container
@@ -6,7 +6,7 @@ Description=A local LLM server
 ContainerName=ollama
 Image=docker.io/ollama/ollama:latest
 PublishPort=11434:11434
-Volume=%h/.local/share/ollama:/root/.ollama:Z
+Volume=%h/.local/share/ollama:/root/.ollama:ro,z
 # keep-sorted end
 
 [Install]

From 04d9cc5eed7bbe792ae5b92fd6824bb3eb5ce1fb Mon Sep 17 00:00:00 2001
From: Ohad Livne <libohad-dev@proton.me>
Date: Wed, 12 Nov 2025 21:00:27 +0200
Subject: [PATCH 3/3] Isolate the LLM server from the internet

---
 .config/containers/systemd/ollama.container | 1 +
 .config/containers/systemd/ollama.network   | 5 +++++
 2 files changed, 6 insertions(+)
 create mode 100644 .config/containers/systemd/ollama.network

diff --git a/.config/containers/systemd/ollama.container b/.config/containers/systemd/ollama.container
index fc91619..6ae7f6c 100644
--- a/.config/containers/systemd/ollama.container
+++ b/.config/containers/systemd/ollama.container
@@ -5,6 +5,7 @@ Description=A local LLM server
 # keep-sorted start
 ContainerName=ollama
 Image=docker.io/ollama/ollama:latest
+Network=ollama.network
 PublishPort=11434:11434
 Volume=%h/.local/share/ollama:/root/.ollama:ro,z
 # keep-sorted end
diff --git a/.config/containers/systemd/ollama.network b/.config/containers/systemd/ollama.network
new file mode 100644
index 0000000..5f8c30b
--- /dev/null
+++ b/.config/containers/systemd/ollama.network
@@ -0,0 +1,5 @@
+[Unit]
+Description=Isolated network for my local LLM server
+
+[Network]
+Internal=true