litellm: pull /meridian secrets in-playbook from Infisical (runner-agnostic)

Replaces the deploy.sh env-var hand-off (which only worked locally and would
have made Semaphore write placeholder keys, regressing direct_*) with the
standard in-playbook Infisical pull used by dawarich/mcp/cloudflared:

- site.yml pre_tasks: login via the shared 828d2cc8 machine identity, read
  /meridian as_dict, set_fact litellm_master_key + the openai/gemini keys.
- vars/vault.yml: shared ansible-vault client secret (copied from sibling repo).
- requirements.yml: + infisical.vault.
- deploy.sh: drop the infisical-CLI pulls; add --ask-vault-pass.

Same secret path for Semaphore and local — no per-template env wiring. Deploy
prereqs: attach the ansible-vault password to Semaphore template 27, and ensure
the 828d2cc8 identity can read /meridian (env prod).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

vars/main.yml

@@ -131,15 +131,21 @@ litellm_models:
   - name: direct_gemini-2.5-pro
     backend: gemini/gemini-2.5-pro
     api_key: os.environ/GEMINI_API_KEY
-# Master key is required by LiteLLM. Pulled at deploy time from Infisical
-# /meridian/vault_litellm_master_key and passed via -e on the playbook
-# (see deploy.sh).
-litellm_master_key: "{{ lookup('env', 'LITELLM_MASTER_KEY') | default('CHANGE_ME', true) }}"
+# Infisical (secrets source). site.yml's pre_tasks log into this shared machine
+# identity and read /meridian, then set_fact the keys below — so BOTH Semaphore
+# and local deploys get real secrets with no per-runner env wiring. The client
+# secret is in vars/vault.yml (ansible-vault, shared across LXC repos).
+infisical_url: "https://secrets.balders.ca"
+infisical_project_id: "50062d7c-06ff-4d5c-8ca3-6c0cdba9f270"
+infisical_client_id: "828d2cc8-eb25-4b1e-a711-c9a4b1580106"
+infisical_client_secret: "{{ vault_infisical_client_secret }}"
 
-# Provider keys for direct_* models. Optional — deploy.sh pulls them from
-# Infisical /meridian if present, else they stay empty and litellm.env writes a
-# placeholder so the proxy still boots (direct_* models just 401 until a real
-# key lands). Drop OPENAI_API_KEY / GEMINI_API_KEY into Infisical /meridian to
-# activate them.
+# These three are OVERRIDDEN by site.yml set_fact from the Infisical read of
+# /meridian (vault_litellm_master_key / vault_openai_api_key / vault_gemini_api_key).
+# The env-lookup defaults here are only a manual fallback for `-e`/ad-hoc runs;
+# the normal path is the in-playbook Infisical pull. litellm.env writes a
+# placeholder when a provider key is empty so the proxy still boots (that
+# provider's direct_* models then 401 until a real key lands).
+litellm_master_key: "{{ lookup('env', 'LITELLM_MASTER_KEY') | default('CHANGE_ME', true) }}"
 litellm_openai_api_key: "{{ lookup('env', 'OPENAI_API_KEY') | default('', true) }}"
 litellm_gemini_api_key: "{{ lookup('env', 'GEMINI_API_KEY') | default('', true) }}"

vars/vault.yml

@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+66366365356236623964366166336662353433626337323337343365316662636332356636336534
+6364616163666431333863613639353837623165636264390a363030376536373966316230356335
+30623466653337326133666539343966656362613964353763636539623634396364633137323733
+3636613464393534660a313334393333343835616235613833346663373537363738383064363437
+34373430306665376639633032373961653134303233613164633738356166376234663039303138
+65313065383061636263393262353139646239383638303036313662373663316132333666366537
+65333866356235373830323734623730356138653338663538616666643230303835653461343236
+31616161333461356665316238363133316134376665353437386564313939356137313331613333
+35653238383931376131323834383633313930396533323032363863666138383332