archy/apps/ollama/manifest.yml

app:
  id: ollama
  name: Ollama
  version: 0.1.0
  description: Run large language models locally. Privacy-preserving AI on your node.
  
  container:
    image: ollama/ollama:0.6.2
    image_signature: cosign://...
    pull_policy: if-not-present
    
  dependencies:
    - storage: 50Gi  # Models can be large
    
  resources:
    cpu_limit: 4
    memory_limit: 8Gi  # LLMs need lots of RAM
    disk_limit: 50Gi
    
  security:
    capabilities: []
    readonly_root: false  # Ollama needs write access for models
    no_new_privileges: true
    user: 1000
    seccomp_profile: default
    network_policy: isolated
    apparmor_profile: ollama
    
  ports:
    - host: 11434
      container: 11434
      protocol: tcp  # API
    
  volumes:
    - type: bind
      source: /var/lib/archipelago/ollama
      target: /root/.ollama
      options: [rw]
      
  environment:
    - OLLAMA_HOST=0.0.0.0:11434
    - OLLAMA_KEEP_ALIVE=24h
    
  health_check:
    type: http
    endpoint: http://localhost:11434
    path: /api/tags
    interval: 30s
    timeout: 10s
    retries: 3
apps 2026-01-24 23:20:54 +00:00			`app:`
			`id: ollama`
			`name: Ollama`
			`version: 0.1.0`
			`description: Run large language models locally. Privacy-preserving AI on your node.`

			`container:`
feat: complete Phase 1 foundation hardening + three-mode UI design doc Phase 1a — Gradient Removal: - Replaced all gradient-button/gradient-card with glass-button/path-option-card - Removed banned gradient CSS classes Phase 1b — Security Hardening: - SecretsManager: AES-256-GCM encryption (core/security) - electrs_status: credentials from env vars instead of hardcoded - port_manager: RwLock proper error handling (no unwrap) - Pinned all 11 :latest manifest images to specific versions - parmanode converter: pinned inferred image versions Phase 1c — Code Quality: - Split rpc.rs (1795 lines) into 6 handler modules (auth, node, container, package, peers) - Removed sideload code (UI, store, RPC client, 3 doc files) - Fixed body background flash on logout/refresh - Replaced 30 TypeScript `any` types with proper types - Deleted HelloWorld.vue, removed TODO comments - Added set -euo pipefail to all shell scripts - Made deploy script verbose with timestamps and elapsed time Also adds: - CLAUDE.md project guide - docs/three-mode-ui-design.md — design spec for Easy/Pro/Chat UI modes - OnlineStatusPill component Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-04 05:23:42 +00:00			`image: ollama/ollama:0.6.2`
apps 2026-01-24 23:20:54 +00:00			`image_signature: cosign://...`
			`pull_policy: if-not-present`

			`dependencies:`
			`- storage: 50Gi # Models can be large`

			`resources:`
			`cpu_limit: 4`
			`memory_limit: 8Gi # LLMs need lots of RAM`
			`disk_limit: 50Gi`

			`security:`
			`capabilities: []`
			`readonly_root: false # Ollama needs write access for models`
fix: harden all 23 app manifests with no_new_privileges, user, seccomp (MAINT-04) Added no_new_privileges: true, user: 1000, and seccomp_profile: default to all app manifests. Created community app review checklist. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-11 18:13:28 +00:00			`no_new_privileges: true`
			`user: 1000`
			`seccomp_profile: default`
apps 2026-01-24 23:20:54 +00:00			`network_policy: isolated`
			`apparmor_profile: ollama`

			`ports:`
			`- host: 11434`
			`container: 11434`
			`protocol: tcp # API`

			`volumes:`
			`- type: bind`
			`source: /var/lib/archipelago/ollama`
			`target: /root/.ollama`
			`options: [rw]`

			`environment:`
			`- OLLAMA_HOST=0.0.0.0:11434`
			`- OLLAMA_KEEP_ALIVE=24h`

			`health_check:`
			`type: http`
			`endpoint: http://localhost:11434`
			`path: /api/tags`
			`interval: 30s`
			`timeout: 10s`
			`retries: 3`