homelab-ansible-lxc-meridian/site.yml

---
# ==============================================================================
# Meridian LXC — Site Playbook
# ==============================================================================
# Local Anthropic API powered by Chuck's Claude Max OAuth subscription.
# Bridges the Claude Code SDK to /v1/messages so HAOS's anthropic conversation
# integration (and any Anthropic-compatible client) can use the Max subscription
# instead of paid API tokens.
#
# Security:
# - Meridian itself has no auth layer; LAN-only reachability is the security model.
# - LiteLLM sits in front for clients that speak OpenAI (e.g. Pulse). It does
#   require a master key (Infisical /meridian/vault_litellm_master_key).
#
# OAuth bootstrap is one-time, paste-code flow run directly on the LXC
# (see homelab-docs services/meridian.md). Don't scp ~/.claude/ from Mac —
# Mac stores the refresh token in Keychain, scp can't see it.
#
# Usage:
#   ./deploy.sh                  # full deploy (pulls LITELLM_MASTER_KEY from Infisical)
#   ./deploy.sh --tags meridian  # meridian role only
#   ./deploy.sh --tags litellm   # litellm role only
# ==============================================================================

- name: Deploy Meridian LXC
  hosts: all
  become: true
  vars_files:
    - vars/main.yml

  pre_tasks:
    - name: Deploy banner
      debug:
        msg: "===== {{ ansible_play_name }} → {{ inventory_hostname }} ({{ ansible_host | default(inventory_hostname) }}) ====="

    - name: Sanity-check LITELLM_MASTER_KEY is set
      assert:
        that: litellm_master_key is defined and litellm_master_key != 'CHANGE_ME' and (litellm_master_key | length) >= 24
        fail_msg: |
          LITELLM_MASTER_KEY env var not set on the controller.
          Run via ./deploy.sh (which pulls it from Infisical), or pass:
            -e litellm_master_key="$(infisical secrets get vault_litellm_master_key --env prod --path /meridian --plain)"

  roles:
    - { role: meridian,      tags: ['meridian'] }
    - { role: litellm,       tags: ['litellm'] }
    - { role: node_exporter, tags: ['node_exporter'] }