cbalders/homelab-ansible-lxc-meridian
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

litellm: pull /meridian secrets in-playbook from Infisical (runner-agnostic)

Browse Source 
Replaces the deploy.sh env-var hand-off (which only worked locally and would
have made Semaphore write placeholder keys, regressing direct_*) with the
standard in-playbook Infisical pull used by dawarich/mcp/cloudflared:

- site.yml pre_tasks: login via the shared 828d2cc8 machine identity, read
  /meridian as_dict, set_fact litellm_master_key + the openai/gemini keys.
- vars/vault.yml: shared ansible-vault client secret (copied from sibling repo).
- requirements.yml: + infisical.vault.
- deploy.sh: drop the infisical-CLI pulls; add --ask-vault-pass.

Same secret path for Semaphore and local — no per-template env wiring. Deploy
prereqs: attach the ansible-vault password to Semaphore template 27, and ensure
the 828d2cc8 identity can read /meridian (env prod).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Your Name
2026-06-05 13:00:54 -04:00
parent a39323db70
commit 02c2f4ee2d
5 changed files with 84 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files
deploy.sh
+7 -35
View File
@@ -9,46 +9,18 @@
# ./deploy.sh -v # verbose output
#
# Secrets:
# LITELLM_MASTER_KEY is pulled from Infisical (/meridian/vault_litellm_master_key)
# on the controller and exported into the env for the playbook to read.
# For Semaphore deploys, set LITELLM_MASTER_KEY as an env var on the template.
# The playbook reads /meridian from Infisical itself (site.yml pre_tasks) —
# master key + the direct_* provider keys. No env wiring needed; this works
# identically under Semaphore. The only local requirement is the ansible-vault
# password (decrypts vars/vault.yml → the Infisical machine-identity secret),
# which --ask-vault-pass prompts for. Semaphore supplies it via an attached
# vault key on the template.
# ==============================================================================
set -euo pipefail
HOST_IP="$(grep -E '^[0-9]' inventory.ini | head -1 | awk '{print $1}')"
HOST_USER="$(grep -o 'ansible_user=[^ ]*' inventory.ini | head -1 | cut -d= -f2)"
if [[ -z "${LITELLM_MASTER_KEY:-}" ]]; then
echo "==> Pulling LITELLM_MASTER_KEY from Infisical ..."
LITELLM_MASTER_KEY="$(infisical secrets get vault_litellm_master_key \
--projectId 50062d7c-06ff-4d5c-8ca3-6c0cdba9f270 \
--env prod --path /meridian --plain 2>/dev/null)"
if [[ -z "$LITELLM_MASTER_KEY" ]]; then
echo " ERROR: couldn't fetch LITELLM_MASTER_KEY. Is the infisical CLI logged in?" >&2
exit 1
fi
export LITELLM_MASTER_KEY
fi
# Optional provider keys for direct_* models. Non-fatal: if a key isn't in
# Infisical /meridian yet, litellm.env falls back to a placeholder and the
# direct_* model 401s on call (proxy_* + local_* keep working). Drop the secret
# into Infisical /meridian to activate, then re-deploy.
for keyvar in OPENAI_API_KEY GEMINI_API_KEY; do
if [[ -z "${!keyvar:-}" ]]; then
secret_name="vault_$(echo "$keyvar" | tr '[:upper:]' '[:lower:]')"
val="$(infisical secrets get "$secret_name" \
--projectId 50062d7c-06ff-4d5c-8ca3-6c0cdba9f270 \
--env prod --path /meridian --plain 2>/dev/null || true)"
if [[ -n "$val" ]]; then
echo "==> Pulled ${keyvar} from Infisical (direct_* enabled)."
export "$keyvar=$val"
else
echo "==> ${keyvar} not in Infisical /meridian — direct_* for this provider stays scaffolded (401 until set)."
fi
fi
done
echo "==> Checking connectivity to ${HOST_USER}@${HOST_IP} ..."
if ! ssh -o ConnectTimeout=5 -o BatchMode=yes "${HOST_USER}@${HOST_IP}" true 2>/dev/null; then
echo " Cannot SSH to ${HOST_IP} — refreshing host key ..."
@@ -60,7 +32,7 @@ echo "==> Installing Ansible collections ..."
ansible-galaxy collection install -r requirements.yml --force 2>/dev/null
echo "==> Running deploy playbook ..."
ansible-playbook -i inventory.ini site.yml "$@"
ansible-playbook -i inventory.ini site.yml --ask-vault-pass "$@"
echo "==> Verifying ..."
ssh "${HOST_USER}@${HOST_IP}" bash -s <<'VERIFY'
requirements.yml
+1
View File
@@ -2,3 +2,4 @@
collections:
- name: community.general
- name: ansible.posix
- name: infisical.vault
site.yml
+51 -5
View File
@@ -16,8 +16,12 @@
# (see homelab-docs services/meridian.md). Don't scp ~/.claude/ from Mac —
# Mac stores the refresh token in Keychain, scp can't see it.
#
# Secrets: the playbook reads /meridian from Infisical itself (pre_tasks below),
# so Semaphore and local deploys are identical — no per-runner env wiring. The
# Infisical machine-identity client secret lives in vars/vault.yml (ansible-vault).
#
# Usage:
# ./deploy.sh # full deploy (pulls LITELLM_MASTER_KEY from Infisical)
# ./deploy.sh # full deploy (prompts for vault password)
# ./deploy.sh --tags meridian # meridian role only
# ./deploy.sh --tags litellm # litellm role only
# ==============================================================================
@@ -27,19 +31,61 @@
become: true
vars_files:
- vars/main.yml
- vars/vault.yml
pre_tasks:
- name: Deploy banner
debug:
msg: "===== {{ ansible_play_name }} → {{ inventory_hostname }} ({{ ansible_host | default(inventory_hostname) }}) ====="
- name: Sanity-check LITELLM_MASTER_KEY is set
- name: Install infisicalsdk on controller
pip:
name: infisicalsdk
state: present
extra_args: --break-system-packages
delegate_to: localhost
become: false
run_once: true
- name: Authenticate with Infisical
infisical.vault.login:
url: "{{ infisical_url }}"
auth_method: universal_auth
universal_auth_client_id: "{{ infisical_client_id }}"
universal_auth_client_secret: "{{ infisical_client_secret }}"
register: infisical_login
delegate_to: localhost
become: false
run_once: true
- name: Read meridian secrets
infisical.vault.read_secrets:
login_data: "{{ infisical_login.login_data }}"
project_id: "{{ infisical_project_id }}"
env_slug: "prod"
path: "/meridian"
as_dict: true
register: meridian_secrets
delegate_to: localhost
become: false
run_once: true
# Provider keys are optional (direct_* models). default('') keeps the play
# idempotent before a key exists — litellm.env then writes a placeholder and
# that provider's direct_* models 401 until the real key lands in /meridian.
- name: Map secrets to vars
set_fact:
litellm_master_key: "{{ meridian_secrets.secrets.vault_litellm_master_key }}"
litellm_openai_api_key: "{{ meridian_secrets.secrets.vault_openai_api_key | default('') }}"
litellm_gemini_api_key: "{{ meridian_secrets.secrets.vault_gemini_api_key | default('') }}"
- name: Sanity-check the LiteLLM master key resolved
assert:
that: litellm_master_key is defined and litellm_master_key != 'CHANGE_ME' and (litellm_master_key | length) >= 24
fail_msg: |
LITELLM_MASTER_KEY env var not set on the controller.
Run via ./deploy.sh (which pulls it from Infisical), or pass:
-e litellm_master_key="$(infisical secrets get vault_litellm_master_key --env prod --path /meridian --plain)"
vault_litellm_master_key did not resolve from Infisical /meridian.
Check the 828d2cc8 machine identity can read /meridian (env prod), or
pass -e litellm_master_key="..." for an ad-hoc run.
roles:
- { role: meridian, tags: ['meridian'] }
vars/main.yml
+15 -9
View File
@@ -131,15 +131,21 @@ litellm_models:
- name: direct_gemini-2.5-pro
backend: gemini/gemini-2.5-pro
api_key: os.environ/GEMINI_API_KEY
# Master key is required by LiteLLM. Pulled at deploy time from Infisical
# /meridian/vault_litellm_master_key and passed via -e on the playbook
# (see deploy.sh).
litellm_master_key: "{{ lookup('env', 'LITELLM_MASTER_KEY') | default('CHANGE_ME', true) }}"
# Infisical (secrets source). site.yml's pre_tasks log into this shared machine
# identity and read /meridian, then set_fact the keys below — so BOTH Semaphore
# and local deploys get real secrets with no per-runner env wiring. The client
# secret is in vars/vault.yml (ansible-vault, shared across LXC repos).
infisical_url: "https://secrets.balders.ca"
infisical_project_id: "50062d7c-06ff-4d5c-8ca3-6c0cdba9f270"
infisical_client_id: "828d2cc8-eb25-4b1e-a711-c9a4b1580106"
infisical_client_secret: "{{ vault_infisical_client_secret }}"
# Provider keys for direct_* models. Optional — deploy.sh pulls them from
# Infisical /meridian if present, else they stay empty and litellm.env writes a
# placeholder so the proxy still boots (direct_* models just 401 until a real
# key lands). Drop OPENAI_API_KEY / GEMINI_API_KEY into Infisical /meridian to
# activate them.
# These three are OVERRIDDEN by site.yml set_fact from the Infisical read of
# /meridian (vault_litellm_master_key / vault_openai_api_key / vault_gemini_api_key).
# The env-lookup defaults here are only a manual fallback for `-e`/ad-hoc runs;
# the normal path is the in-playbook Infisical pull. litellm.env writes a
# placeholder when a provider key is empty so the proxy still boots (that
# provider's direct_* models then 401 until a real key lands).
litellm_master_key: "{{ lookup('env', 'LITELLM_MASTER_KEY') | default('CHANGE_ME', true) }}"
litellm_openai_api_key: "{{ lookup('env', 'OPENAI_API_KEY') | default('', true) }}"
litellm_gemini_api_key: "{{ lookup('env', 'GEMINI_API_KEY') | default('', true) }}"
vars/vault.yml
+10
View File
@@ -0,0 +1,10 @@
$ANSIBLE_VAULT;1.1;AES256
66366365356236623964366166336662353433626337323337343365316662636332356636336534
6364616163666431333863613639353837623165636264390a363030376536373966316230356335
30623466653337326133666539343966656362613964353763636539623634396364633137323733
3636613464393534660a313334393333343835616235613833346663373537363738383064363437
34373430306665376639633032373961653134303233613164633738356166376234663039303138
65313065383061636263393262353139646239383638303036313662373663316132333666366537
65333866356235373830323734623730356138653338663538616666643230303835653461343236
31616161333461356665316238363133316134376665353437386564313939356137313331613333
35653238383931376131323834383633313930396533323032363863666138383332