From 02c2f4ee2d71e32e2d356792d9acb3d7fa24fafe Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Fri, 5 Jun 2026 13:00:54 -0400
Subject: [PATCH] litellm: pull /meridian secrets in-playbook from Infisical
 (runner-agnostic)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replaces the deploy.sh env-var hand-off (which only worked locally and would
have made Semaphore write placeholder keys, regressing direct_*) with the
standard in-playbook Infisical pull used by dawarich/mcp/cloudflared:

- site.yml pre_tasks: login via the shared 828d2cc8 machine identity, read
  /meridian as_dict, set_fact litellm_master_key + the openai/gemini keys.
- vars/vault.yml: shared ansible-vault client secret (copied from sibling repo).
- requirements.yml: + infisical.vault.
- deploy.sh: drop the infisical-CLI pulls; add --ask-vault-pass.

Same secret path for Semaphore and local — no per-template env wiring. Deploy
prereqs: attach the ansible-vault password to Semaphore template 27, and ensure
the 828d2cc8 identity can read /meridian (env prod).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 deploy.sh        | 42 ++++++------------------------------
 requirements.yml |  1 +
 site.yml         | 56 +++++++++++++++++++++++++++++++++++++++++++-----
 vars/main.yml    | 24 +++++++++++++--------
 vars/vault.yml   | 10 +++++++++
 5 files changed, 84 insertions(+), 49 deletions(-)
 create mode 100644 vars/vault.yml

diff --git a/deploy.sh b/deploy.sh
index b73b15b..ce116a7 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -9,46 +9,18 @@
 #   ./deploy.sh -v               # verbose output
 #
 # Secrets:
-#   LITELLM_MASTER_KEY is pulled from Infisical (/meridian/vault_litellm_master_key)
-#   on the controller and exported into the env for the playbook to read.
-#   For Semaphore deploys, set LITELLM_MASTER_KEY as an env var on the template.
+#   The playbook reads /meridian from Infisical itself (site.yml pre_tasks) —
+#   master key + the direct_* provider keys. No env wiring needed; this works
+#   identically under Semaphore. The only local requirement is the ansible-vault
+#   password (decrypts vars/vault.yml → the Infisical machine-identity secret),
+#   which --ask-vault-pass prompts for. Semaphore supplies it via an attached
+#   vault key on the template.
 # ==============================================================================
 set -euo pipefail
 
 HOST_IP="$(grep -E '^[0-9]' inventory.ini | head -1 | awk '{print $1}')"
 HOST_USER="$(grep -o 'ansible_user=[^ ]*' inventory.ini | head -1 | cut -d= -f2)"
 
-if [[ -z "${LITELLM_MASTER_KEY:-}" ]]; then
-    echo "==> Pulling LITELLM_MASTER_KEY from Infisical ..."
-    LITELLM_MASTER_KEY="$(infisical secrets get vault_litellm_master_key \
-        --projectId 50062d7c-06ff-4d5c-8ca3-6c0cdba9f270 \
-        --env prod --path /meridian --plain 2>/dev/null)"
-    if [[ -z "$LITELLM_MASTER_KEY" ]]; then
-        echo "    ERROR: couldn't fetch LITELLM_MASTER_KEY. Is the infisical CLI logged in?" >&2
-        exit 1
-    fi
-    export LITELLM_MASTER_KEY
-fi
-
-# Optional provider keys for direct_* models. Non-fatal: if a key isn't in
-# Infisical /meridian yet, litellm.env falls back to a placeholder and the
-# direct_* model 401s on call (proxy_* + local_* keep working). Drop the secret
-# into Infisical /meridian to activate, then re-deploy.
-for keyvar in OPENAI_API_KEY GEMINI_API_KEY; do
-    if [[ -z "${!keyvar:-}" ]]; then
-        secret_name="vault_$(echo "$keyvar" | tr '[:upper:]' '[:lower:]')"
-        val="$(infisical secrets get "$secret_name" \
-            --projectId 50062d7c-06ff-4d5c-8ca3-6c0cdba9f270 \
-            --env prod --path /meridian --plain 2>/dev/null || true)"
-        if [[ -n "$val" ]]; then
-            echo "==> Pulled ${keyvar} from Infisical (direct_* enabled)."
-            export "$keyvar=$val"
-        else
-            echo "==> ${keyvar} not in Infisical /meridian — direct_* for this provider stays scaffolded (401 until set)."
-        fi
-    fi
-done
-
 echo "==> Checking connectivity to ${HOST_USER}@${HOST_IP} ..."
 if ! ssh -o ConnectTimeout=5 -o BatchMode=yes "${HOST_USER}@${HOST_IP}" true 2>/dev/null; then
     echo "    Cannot SSH to ${HOST_IP} — refreshing host key ..."
@@ -60,7 +32,7 @@ echo "==> Installing Ansible collections ..."
 ansible-galaxy collection install -r requirements.yml --force 2>/dev/null
 
 echo "==> Running deploy playbook ..."
-ansible-playbook -i inventory.ini site.yml "$@"
+ansible-playbook -i inventory.ini site.yml --ask-vault-pass "$@"
 
 echo "==> Verifying ..."
 ssh "${HOST_USER}@${HOST_IP}" bash -s <<'VERIFY'
diff --git a/requirements.yml b/requirements.yml
index 9dbb90c..6fa895d 100644
--- a/requirements.yml
+++ b/requirements.yml
@@ -2,3 +2,4 @@
 collections:
   - name: community.general
   - name: ansible.posix
+  - name: infisical.vault
diff --git a/site.yml b/site.yml
index c3d2278..b7fdc99 100644
--- a/site.yml
+++ b/site.yml
@@ -16,8 +16,12 @@
 # (see homelab-docs services/meridian.md). Don't scp ~/.claude/ from Mac —
 # Mac stores the refresh token in Keychain, scp can't see it.
 #
+# Secrets: the playbook reads /meridian from Infisical itself (pre_tasks below),
+# so Semaphore and local deploys are identical — no per-runner env wiring. The
+# Infisical machine-identity client secret lives in vars/vault.yml (ansible-vault).
+#
 # Usage:
-#   ./deploy.sh                  # full deploy (pulls LITELLM_MASTER_KEY from Infisical)
+#   ./deploy.sh                  # full deploy (prompts for vault password)
 #   ./deploy.sh --tags meridian  # meridian role only
 #   ./deploy.sh --tags litellm   # litellm role only
 # ==============================================================================
@@ -27,19 +31,61 @@
   become: true
   vars_files:
     - vars/main.yml
+    - vars/vault.yml
 
   pre_tasks:
     - name: Deploy banner
       debug:
         msg: "===== {{ ansible_play_name }} → {{ inventory_hostname }} ({{ ansible_host | default(inventory_hostname) }}) ====="
 
-    - name: Sanity-check LITELLM_MASTER_KEY is set
+    - name: Install infisicalsdk on controller
+      pip:
+        name: infisicalsdk
+        state: present
+        extra_args: --break-system-packages
+      delegate_to: localhost
+      become: false
+      run_once: true
+
+    - name: Authenticate with Infisical
+      infisical.vault.login:
+        url: "{{ infisical_url }}"
+        auth_method: universal_auth
+        universal_auth_client_id: "{{ infisical_client_id }}"
+        universal_auth_client_secret: "{{ infisical_client_secret }}"
+      register: infisical_login
+      delegate_to: localhost
+      become: false
+      run_once: true
+
+    - name: Read meridian secrets
+      infisical.vault.read_secrets:
+        login_data: "{{ infisical_login.login_data }}"
+        project_id: "{{ infisical_project_id }}"
+        env_slug: "prod"
+        path: "/meridian"
+        as_dict: true
+      register: meridian_secrets
+      delegate_to: localhost
+      become: false
+      run_once: true
+
+    # Provider keys are optional (direct_* models). default('') keeps the play
+    # idempotent before a key exists — litellm.env then writes a placeholder and
+    # that provider's direct_* models 401 until the real key lands in /meridian.
+    - name: Map secrets to vars
+      set_fact:
+        litellm_master_key: "{{ meridian_secrets.secrets.vault_litellm_master_key }}"
+        litellm_openai_api_key: "{{ meridian_secrets.secrets.vault_openai_api_key | default('') }}"
+        litellm_gemini_api_key: "{{ meridian_secrets.secrets.vault_gemini_api_key | default('') }}"
+
+    - name: Sanity-check the LiteLLM master key resolved
       assert:
         that: litellm_master_key is defined and litellm_master_key != 'CHANGE_ME' and (litellm_master_key | length) >= 24
         fail_msg: |
-          LITELLM_MASTER_KEY env var not set on the controller.
-          Run via ./deploy.sh (which pulls it from Infisical), or pass:
-            -e litellm_master_key="$(infisical secrets get vault_litellm_master_key --env prod --path /meridian --plain)"
+          vault_litellm_master_key did not resolve from Infisical /meridian.
+          Check the 828d2cc8 machine identity can read /meridian (env prod), or
+          pass -e litellm_master_key="..." for an ad-hoc run.
 
   roles:
     - { role: meridian,      tags: ['meridian'] }
diff --git a/vars/main.yml b/vars/main.yml
index ee5bbe5..72b6cc4 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -131,15 +131,21 @@ litellm_models:
   - name: direct_gemini-2.5-pro
     backend: gemini/gemini-2.5-pro
     api_key: os.environ/GEMINI_API_KEY
-# Master key is required by LiteLLM. Pulled at deploy time from Infisical
-# /meridian/vault_litellm_master_key and passed via -e on the playbook
-# (see deploy.sh).
-litellm_master_key: "{{ lookup('env', 'LITELLM_MASTER_KEY') | default('CHANGE_ME', true) }}"
+# Infisical (secrets source). site.yml's pre_tasks log into this shared machine
+# identity and read /meridian, then set_fact the keys below — so BOTH Semaphore
+# and local deploys get real secrets with no per-runner env wiring. The client
+# secret is in vars/vault.yml (ansible-vault, shared across LXC repos).
+infisical_url: "https://secrets.balders.ca"
+infisical_project_id: "50062d7c-06ff-4d5c-8ca3-6c0cdba9f270"
+infisical_client_id: "828d2cc8-eb25-4b1e-a711-c9a4b1580106"
+infisical_client_secret: "{{ vault_infisical_client_secret }}"
 
-# Provider keys for direct_* models. Optional — deploy.sh pulls them from
-# Infisical /meridian if present, else they stay empty and litellm.env writes a
-# placeholder so the proxy still boots (direct_* models just 401 until a real
-# key lands). Drop OPENAI_API_KEY / GEMINI_API_KEY into Infisical /meridian to
-# activate them.
+# These three are OVERRIDDEN by site.yml set_fact from the Infisical read of
+# /meridian (vault_litellm_master_key / vault_openai_api_key / vault_gemini_api_key).
+# The env-lookup defaults here are only a manual fallback for `-e`/ad-hoc runs;
+# the normal path is the in-playbook Infisical pull. litellm.env writes a
+# placeholder when a provider key is empty so the proxy still boots (that
+# provider's direct_* models then 401 until a real key lands).
+litellm_master_key: "{{ lookup('env', 'LITELLM_MASTER_KEY') | default('CHANGE_ME', true) }}"
 litellm_openai_api_key: "{{ lookup('env', 'OPENAI_API_KEY') | default('', true) }}"
 litellm_gemini_api_key: "{{ lookup('env', 'GEMINI_API_KEY') | default('', true) }}"
diff --git a/vars/vault.yml b/vars/vault.yml
new file mode 100644
index 0000000..d164004
--- /dev/null
+++ b/vars/vault.yml
@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+66366365356236623964366166336662353433626337323337343365316662636332356636336534
+6364616163666431333863613639353837623165636264390a363030376536373966316230356335
+30623466653337326133666539343966656362613964353763636539623634396364633137323733
+3636613464393534660a313334393333343835616235613833346663373537363738383064363437
+34373430306665376639633032373961653134303233613164633738356166376234663039303138
+65313065383061636263393262353139646239383638303036313662373663316132333666366537
+65333866356235373830323734623730356138653338663538616666643230303835653461343236
+31616161333461356665316238363133316134376665353437386564313939356137313331613333
+35653238383931376131323834383633313930396533323032363863666138383332