litellm: add OpenAI→Meridian shim role (venv + systemd, port 4000)
LiteLLM sits in front of Meridian for clients that can't talk Anthropic's /v1/messages format (Pulse OpenAI provider, paperless-ai, etc.). Routes OpenAI-shaped requests to localhost:3456 (Meridian) which forwards to the Max sub. - New roles/litellm/ — Python venv, pip install litellm[proxy], systemd - vars/main.yml — model map (haiku/sonnet/opus) + LITELLM_MASTER_KEY env lookup - site.yml — adds litellm role + sanity-check assert - deploy.sh — pulls LITELLM_MASTER_KEY from Infisical (/meridian/) on the controller and exports it for the playbook - New Infisical secret /meridian/vault_litellm_master_key Smoke: Pulse → LiteLLM /v1/chat/completions → Meridian /v1/messages → Max sub returns "pong" through both the LiteLLM master key auth and the Claude Code SDK OAuth. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Your Name
@@ -7,14 +7,19 @@
|
||||
# integration (and any Anthropic-compatible client) can use the Max subscription
|
||||
# instead of paid API tokens.
|
||||
#
|
||||
# Security: Meridian has no auth layer of its own. LAN-only reachability is
|
||||
# the entire security model — no Caddy public vhost, no Cloudflare tunnel.
|
||||
# OAuth bootstrap is manual: `claude login` on Chuck's Mac, scp ~/.claude/ to
|
||||
# /opt/meridian/.claude/ on the LXC, then `systemctl restart meridian`.
|
||||
# Security:
|
||||
# - Meridian itself has no auth layer; LAN-only reachability is the security model.
|
||||
# - LiteLLM sits in front for clients that speak OpenAI (e.g. Pulse). It does
|
||||
# require a master key (Infisical /meridian/vault_litellm_master_key).
|
||||
#
|
||||
# OAuth bootstrap is one-time, paste-code flow run directly on the LXC
|
||||
# (see homelab-docs services/meridian.md). Don't scp ~/.claude/ from Mac —
|
||||
# Mac stores the refresh token in Keychain, scp can't see it.
|
||||
#
|
||||
# Usage:
|
||||
# ./deploy.sh # full deploy
|
||||
# ./deploy.sh # full deploy (pulls LITELLM_MASTER_KEY from Infisical)
|
||||
# ./deploy.sh --tags meridian # meridian role only
|
||||
# ./deploy.sh --tags litellm # litellm role only
|
||||
# ==============================================================================
|
||||
|
||||
- name: Deploy Meridian LXC
|
||||
@@ -28,6 +33,15 @@
|
||||
debug:
|
||||
msg: "===== {{ ansible_play_name }} → {{ inventory_hostname }} ({{ ansible_host | default(inventory_hostname) }}) ====="
|
||||
|
||||
- name: Sanity-check LITELLM_MASTER_KEY is set
|
||||
assert:
|
||||
that: litellm_master_key is defined and litellm_master_key != 'CHANGE_ME' and (litellm_master_key | length) >= 24
|
||||
fail_msg: |
|
||||
LITELLM_MASTER_KEY env var not set on the controller.
|
||||
Run via ./deploy.sh (which pulls it from Infisical), or pass:
|
||||
-e litellm_master_key="$(infisical secrets get vault_litellm_master_key --env prod --path /meridian --plain)"
|
||||
|
||||
roles:
|
||||
- meridian
|
||||
- node_exporter
|
||||
- { role: meridian, tags: ['meridian'] }
|
||||
- { role: litellm, tags: ['litellm'] }
|
||||
- { role: node_exporter, tags: ['node_exporter'] }
|
||||
|
||||
Reference in New Issue
Block a user