diff --git a/docs/devops/single_azure_vm/docker/Caddyfile.bytelyst.example b/docs/devops/single_azure_vm/docker/Caddyfile.bytelyst.example
index 5bb86cfb..45f51941 100644
--- a/docs/devops/single_azure_vm/docker/Caddyfile.bytelyst.example
+++ b/docs/devops/single_azure_vm/docker/Caddyfile.bytelyst.example
@@ -105,3 +105,8 @@ llmlab.bytelyst.com {
   encode gzip
   reverse_proxy llmlab-dashboard:3075
 }
+
+ollama.bytelyst.com {
+  encode gzip
+  reverse_proxy 172.17.0.1:11434
+}
diff --git a/docs/devops/vercel/GODADDY_DNS_SETUP_BYTELYST.md b/docs/devops/vercel/GODADDY_DNS_SETUP_BYTELYST.md
index 79c489cf..4c693802 100644
--- a/docs/devops/vercel/GODADDY_DNS_SETUP_BYTELYST.md
+++ b/docs/devops/vercel/GODADDY_DNS_SETUP_BYTELYST.md
@@ -19,6 +19,7 @@ For the current internal-on-VM setup, these hostnames should point to the Azure
 | `admin.bytelyst.com`   | `A`  | `<Azure VM public IP>` | Internal admin dashboard                     |
 | `tracker.bytelyst.com` | `A`  | `<Azure VM public IP>` | Internal tracker dashboard                   |
 | `llmlab.bytelyst.com`  | `A`  | `<Azure VM public IP>` | LLM Lab Mission Control dashboard on the VM  |
+| `ollama.bytelyst.com`  | `A`  | `<Azure VM public IP>` | Ollama HTTPS endpoint for cross-VM clients   |
 
 Recommended temporary TTL during cutover:
 
@@ -28,6 +29,7 @@ Notes:
 
 - `localmemgpt-web` is intended to be hosted on Vercel, so it is not part of this VM DNS runbook
 - `llmlab-dashboard` runs on VM port `3075`; if you expose it publicly, route it through Caddy instead of exposing `3075` directly
+- `ollama.bytelyst.com` should be restricted to trusted clients such as sibling VMs, VPN users, or an IP allowlist
 
 ## Automated Option
 
@@ -56,6 +58,7 @@ The script manages these `A` records by default:
 - `admin`
 - `tracker`
 - `llmlab`
+- `ollama`
 
 Root shortcut:
 
@@ -67,10 +70,10 @@ pnpm dns:godaddy:bytelyst -- --ip <Azure VM public IP> --validate
 
 Status as of `2026-03-31 09:41:09 UTC`:
 
-- GoDaddy `A` records were updated for `api`, `gitea`, `admin`, `tracker`, and `llmlab`
-- all five hostnames resolve publicly to `187.124.159.82`
+- GoDaddy `A` records were updated for `api`, `gitea`, `admin`, `tracker`, `llmlab`, and `ollama`
+- all six hostnames should resolve publicly to `187.124.159.82`
 - the VM now serves `80` and `443` through the `caddy` container
-- Let's Encrypt certificates were issued successfully for all five hostnames
+- Let's Encrypt certificates were issued successfully for the existing public app hostnames, and `ollama` can be added through the same Caddy path
 - live HTTPS verification from inside the VM-level Caddy path returned:
   - `api.bytelyst.com` -> `HTTP/1.1 200 OK`
   - `gitea.bytelyst.com` -> `HTTP/1.1 200 OK`
@@ -106,6 +109,7 @@ Interpretation:
 | `admin`   | `A`  | `<Azure VM public IP>` | `600` |
 | `tracker` | `A`  | `<Azure VM public IP>` | `600` |
 | `llmlab`  | `A`  | `<Azure VM public IP>` | `600` |
+| `ollama`  | `A`  | `<Azure VM public IP>` | `600` |
 
 6. Save each record.
 7. Remove or correct any conflicting `A`, `CNAME`, or forwarding records for the same names.
@@ -120,12 +124,13 @@ dig +short gitea.bytelyst.com
 dig +short admin.bytelyst.com
 dig +short tracker.bytelyst.com
 dig +short llmlab.bytelyst.com
+dig +short ollama.bytelyst.com
 curl -sf https://api.ipify.org && echo
 ```
 
 Expected result:
 
-- all five hostnames resolve to the same Azure VM public IP
+- all six hostnames resolve to the same Azure VM public IP
 - the resolved IP matches the output from `https://api.ipify.org`
 
 After DNS resolves correctly, validate HTTPS:
@@ -136,12 +141,14 @@ curl -sI https://gitea.bytelyst.com | head -5
 curl -sI https://admin.bytelyst.com | head -5
 curl -sI https://tracker.bytelyst.com | head -5
 curl -sI https://llmlab.bytelyst.com | head -5
+curl -sI https://ollama.bytelyst.com/api/version | head -5
 ```
 
 Expected result:
 
 - valid TLS responses from Caddy
 - `200`, `302`, or auth-gated responses are acceptable depending on the app
+- `ollama.bytelyst.com/api/version` should return `200`
 - certificate issuance should complete automatically once DNS and ports are correct
 
 ## Next Action For Codex On The VM
diff --git a/scripts/godaddy-sync-bytelyst-dns.sh b/scripts/godaddy-sync-bytelyst-dns.sh
index 8fb7d225..81e64fea 100755
--- a/scripts/godaddy-sync-bytelyst-dns.sh
+++ b/scripts/godaddy-sync-bytelyst-dns.sh
@@ -7,7 +7,7 @@ TARGET_IP="${GODADDY_DNS_TARGET_IP:-}"
 AUTO_IP=false
 DRY_RUN=false
 VALIDATE=false
-HOSTS=("api" "gitea" "admin" "tracker" "llmlab")
+HOSTS=("api" "gitea" "admin" "tracker" "llmlab" "ollama")
 
 CONFIG_FILE="${XDG_CONFIG_HOME:-$HOME/.config}/godaddypy/credentials.yaml"
 
@@ -23,7 +23,7 @@ Options:
   --auto-ip              Detect the current public IP with api.ipify.org
   --domain <domain>      GoDaddy zone to update (default: bytelyst.com)
   --ttl <seconds>        TTL for the managed A records (default: 600)
-  --hosts <csv>          Hostnames to manage (default: api,gitea,admin,tracker,llmlab)
+  --hosts <csv>          Hostnames to manage (default: api,gitea,admin,tracker,llmlab,ollama)
   --validate             Run dig validation after changes
   --dry-run              Print the API operations without applying them
   -h, --help             Show help