Embedded prometheus.exporter.unix in Alloy has been pushing identical
metrics fleet-wide since 2026-05-21 cutover; the standalone binary
and systemd service have been removed from each host. Drops the
role + site.yml entry so future deploys don't reinstate them.
See homelab-docs/docs/audit/alloy-consolidation-2026-05-21.md.
Drops the _canary suffix on alloy_prom_job. Prometheus retired its
static node_* scrape jobs in the same release; Alloy's remote_write
fills the gap with identical job/instance/group/hostname labels.
Embeds node_exporter inside Alloy alongside Loki shipping; pushes
metrics via remote_write to observe Prom with job=node_lxc_canary
to run side-by-side with the existing node_exporter scrape until
cutover. See homelab-docs/docs/audit/alloy-consolidation-2026-05-21.md.
Meridian + LiteLLM both run as systemd services on this LXC (no docker)
so the Docker-container Alloy pattern from other repos doesn't apply.
Apt-install grafana/alloy via apt.grafana.com, journald-only scrape,
ships to Loki on observe.lan.balders.ca.
Side benefit: Meridian.service + LiteLLM.service logs (including the
gpt-* alias shadowing requests from paperless-ai) now searchable in
Loki, not just journalctl on the LXC.
paperless-ai's setup wizard validates the OpenAI provider by hardcoding
model=gpt-4o-mini in the probe, regardless of the OPENAI_MODEL env. Without
the alias LiteLLM 400s ("Invalid model name") and the wizard rejects the
key. Shadow common OpenAI names onto our Claude backends so any client that
probes gpt-* gets a healthy response (and routes to the Max sub).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
LiteLLM sits in front of Meridian for clients that can't talk Anthropic's
/v1/messages format (Pulse OpenAI provider, paperless-ai, etc.). Routes
OpenAI-shaped requests to localhost:3456 (Meridian) which forwards to the
Max sub.
- New roles/litellm/ — Python venv, pip install litellm[proxy], systemd
- vars/main.yml — model map (haiku/sonnet/opus) + LITELLM_MASTER_KEY env lookup
- site.yml — adds litellm role + sanity-check assert
- deploy.sh — pulls LITELLM_MASTER_KEY from Infisical (/meridian/) on the
controller and exports it for the playbook
- New Infisical secret /meridian/vault_litellm_master_key
Smoke: Pulse → LiteLLM /v1/chat/completions → Meridian /v1/messages → Max sub
returns "pong" through both the LiteLLM master key auth and the Claude Code
SDK OAuth.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Deploys @rynfar/meridian on a Debian 12 LXC, bound to 0.0.0.0:3456.
OAuth credentials transferred manually after first deploy (claude login on
Mac, scp ~/.claude to /opt/meridian/.claude). systemd unit is enabled but
gated on credentials.json existence so the first deploy doesn't crash-loop.
LXC has no auth layer — security model is LAN-only reachability.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Your Name
cbalders