Replaces the deploy.sh env-var hand-off (which only worked locally and would
have made Semaphore write placeholder keys, regressing direct_*) with the
standard in-playbook Infisical pull used by dawarich/mcp/cloudflared:
- site.yml pre_tasks: login via the shared 828d2cc8 machine identity, read
/meridian as_dict, set_fact litellm_master_key + the openai/gemini keys.
- vars/vault.yml: shared ansible-vault client secret (copied from sibling repo).
- requirements.yml: + infisical.vault.
- deploy.sh: drop the infisical-CLI pulls; add --ask-vault-pass.
Same secret path for Semaphore and local — no per-template env wiring. Deploy
prereqs: attach the ansible-vault password to Semaphore template 27, and ensure
the 828d2cc8 identity can read /meridian (env prod).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Backend-prefix taxonomy so the Open WebUI picker is self-documenting and a
model name can't lie about where it routes:
local_* -> Anvil/Ollama (free) e.g. local_qwen2.5-72b
proxy_* -> Claude via Meridian/Max e.g. proxy_claude-sonnet-4-6
direct_* -> metered OpenAI/Gemini e.g. direct_gpt-4o, direct_gemini-2.0-flash
Drops the redundant -max suffix (proxy_ already implies Max). api_base is now
emitted only when a model defines it, so direct_* hit the provider default
endpoint instead of Meridian. direct_* are SCAFFOLDED (no live keys): litellm.env
writes a placeholder so the proxy boots; deploy.sh pulls OPENAI_API_KEY/
GEMINI_API_KEY from Infisical /meridian if present (non-fatal). They 401 until
real keys land.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
LiteLLM sits in front of Meridian for clients that can't talk Anthropic's
/v1/messages format (Pulse OpenAI provider, paperless-ai, etc.). Routes
OpenAI-shaped requests to localhost:3456 (Meridian) which forwards to the
Max sub.
- New roles/litellm/ — Python venv, pip install litellm[proxy], systemd
- vars/main.yml — model map (haiku/sonnet/opus) + LITELLM_MASTER_KEY env lookup
- site.yml — adds litellm role + sanity-check assert
- deploy.sh — pulls LITELLM_MASTER_KEY from Infisical (/meridian/) on the
controller and exports it for the playbook
- New Infisical secret /meridian/vault_litellm_master_key
Smoke: Pulse → LiteLLM /v1/chat/completions → Meridian /v1/messages → Max sub
returns "pong" through both the LiteLLM master key auth and the Claude Code
SDK OAuth.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Deploys @rynfar/meridian on a Debian 12 LXC, bound to 0.0.0.0:3456.
OAuth credentials transferred manually after first deploy (claude login on
Mac, scp ~/.claude to /opt/meridian/.claude). systemd unit is enabled but
gated on credentials.json existence so the first deploy doesn't crash-loop.
LXC has no auth layer — security model is LAN-only reachability.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Your Name