cbalders/homelab-ansible-lxc-meridian
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
homelab-ansible-lxc-meridian/deploy.sh
T
Your Name 02c2f4ee2d litellm: pull /meridian secrets in-playbook from Infisical (runner-agnostic) 
Replaces the deploy.sh env-var hand-off (which only worked locally and would
have made Semaphore write placeholder keys, regressing direct_*) with the
standard in-playbook Infisical pull used by dawarich/mcp/cloudflared:

- site.yml pre_tasks: login via the shared 828d2cc8 machine identity, read
  /meridian as_dict, set_fact litellm_master_key + the openai/gemini keys.
- vars/vault.yml: shared ansible-vault client secret (copied from sibling repo).
- requirements.yml: + infisical.vault.
- deploy.sh: drop the infisical-CLI pulls; add --ask-vault-pass.

Same secret path for Semaphore and local — no per-template env wiring. Deploy
prereqs: attach the ansible-vault password to Semaphore template 27, and ensure
the 828d2cc8 identity can read /meridian (env prod).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-05 13:00:54 -04:00

53 lines
2.4 KiB
Bash
Executable File
Raw Permalink Blame History

#!/usr/bin/env bash
# ==============================================================================
# deploy.sh — Deploy Meridian LXC
#
# Usage:
# ./deploy.sh # full deploy
# ./deploy.sh --tags meridian # meridian role only
# ./deploy.sh --tags litellm # litellm role only
# ./deploy.sh -v # verbose output
#
# Secrets:
# The playbook reads /meridian from Infisical itself (site.yml pre_tasks) —
# master key + the direct_* provider keys. No env wiring needed; this works
# identically under Semaphore. The only local requirement is the ansible-vault
# password (decrypts vars/vault.yml → the Infisical machine-identity secret),
# which --ask-vault-pass prompts for. Semaphore supplies it via an attached
# vault key on the template.
# ==============================================================================
set -euo pipefail
HOST_IP="$(grep -E '^[0-9]' inventory.ini | head -1 | awk '{print $1}')"
HOST_USER="$(grep -o 'ansible_user=[^ ]*' inventory.ini | head -1 | cut -d= -f2)"
echo "==> Checking connectivity to ${HOST_USER}@${HOST_IP} ..."
if ! ssh -o ConnectTimeout=5 -o BatchMode=yes "${HOST_USER}@${HOST_IP}" true 2>/dev/null; then
echo " Cannot SSH to ${HOST_IP} — refreshing host key ..."
ssh-keygen -R "$HOST_IP" 2>/dev/null || true
ssh-keyscan -H "$HOST_IP" >> ~/.ssh/known_hosts 2>/dev/null
fi
echo "==> Installing Ansible collections ..."
ansible-galaxy collection install -r requirements.yml --force 2>/dev/null
echo "==> Running deploy playbook ..."
ansible-playbook -i inventory.ini site.yml --ask-vault-pass "$@"
echo "==> Verifying ..."
ssh "${HOST_USER}@${HOST_IP}" bash -s <<'VERIFY'
echo "Node: $(node --version 2>/dev/null || echo missing)"
echo "Meridian binary: $(which meridian 2>/dev/null || echo missing)"
echo "Services:"
for svc in meridian litellm; do
printf " %-10s enabled=%s active=%s\n" "$svc" "$(systemctl is-enabled $svc 2>/dev/null)" "$(systemctl is-active $svc 2>/dev/null)"
done
echo "Endpoints:"
curl -sf --max-time 3 http://127.0.0.1:3456/v1/messages -X POST -H 'Content-Type: application/json' -d '{}' >/dev/null 2>&1 \
&& echo " meridian :3456 reachable" || echo " meridian :3456 not responding"
curl -sf --max-time 3 http://127.0.0.1:4000/health/liveliness >/dev/null 2>&1 \
&& echo " litellm :4000 healthy" || echo " litellm :4000 not responding"
VERIFY
echo "==> Done."
Reference in New Issue View Git Blame Copy Permalink