--- # ============================================================================== # Meridian LXC — Site Playbook # ============================================================================== # Local Anthropic API powered by Chuck's Claude Max OAuth subscription. # Bridges the Claude Code SDK to /v1/messages so HAOS's anthropic conversation # integration (and any Anthropic-compatible client) can use the Max subscription # instead of paid API tokens. # # Security: # - Meridian itself has no auth layer; LAN-only reachability is the security model. # - LiteLLM sits in front for clients that speak OpenAI (e.g. Pulse). It does # require a master key (Infisical /meridian/vault_litellm_master_key). # # OAuth bootstrap is one-time, paste-code flow run directly on the LXC # (see homelab-docs services/meridian.md). Don't scp ~/.claude/ from Mac — # Mac stores the refresh token in Keychain, scp can't see it. # # Usage: # ./deploy.sh # full deploy (pulls LITELLM_MASTER_KEY from Infisical) # ./deploy.sh --tags meridian # meridian role only # ./deploy.sh --tags litellm # litellm role only # ============================================================================== - name: Deploy Meridian LXC hosts: all become: true vars_files: - vars/main.yml pre_tasks: - name: Deploy banner debug: msg: "===== {{ ansible_play_name }} → {{ inventory_hostname }} ({{ ansible_host | default(inventory_hostname) }}) =====" - name: Sanity-check LITELLM_MASTER_KEY is set assert: that: litellm_master_key is defined and litellm_master_key != 'CHANGE_ME' and (litellm_master_key | length) >= 24 fail_msg: | LITELLM_MASTER_KEY env var not set on the controller. Run via ./deploy.sh (which pulls it from Infisical), or pass: -e litellm_master_key="$(infisical secrets get vault_litellm_master_key --env prod --path /meridian --plain)" roles: - { role: meridian, tags: ['meridian'] } - { role: litellm, tags: ['litellm'] } - { role: node_exporter, tags: ['node_exporter'] }