From c41a6ff63787882cc05a0ce9c60cf2213d63afc6 Mon Sep 17 00:00:00 2001 From: Bryan Ramos Date: Mon, 13 Apr 2026 23:12:50 -0400 Subject: [PATCH] added llama-stack --- .sops.yaml | 5 ++-- secrets/system/llama.yaml | 19 +++++++++++---- .../machines/server/modules/nginx/default.nix | 23 ++++++++++--------- system/machines/server/system.nix | 15 +++++------- 4 files changed, 35 insertions(+), 27 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index c4b8201..6fa100a 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -12,11 +12,12 @@ creation_rules: key_groups: - age: - *desktop - # Desktop secrets + # Shared secrets (desktop + server) - path_regex: secrets/system/llama\.yaml$ # llama.cpp API key key_groups: - age: - - *desktop + - *desktop + - *server # Server secrets (cameras) - path_regex: secrets/system/cameras\.yaml$ # RTSP Feed key_groups: diff --git a/secrets/system/llama.yaml b/secrets/system/llama.yaml index 84e67dc..a538022 100644 --- a/secrets/system/llama.yaml +++ b/secrets/system/llama.yaml @@ -4,11 +4,20 @@ sops: - recipient: age17ejyzyk52unr6eyaa9rpunxpmf7u9726v6sx7me3ww3mdu5xzgjqsgj9gl enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIeHdwYnhLTkFCWEg4c1Na - aHlGY2lGaU5DclpnLzRvK0RTaERubFBDQjNZCnZRdmF6bk1ENWFHVm9zTFJGRW5j - aTZWM0F2Z0N2S2JnOWJVRlJOL0ZHZ2sKLS0tIGtNNjRVM3pJb0dYUDhiemNxb05C - SFF2bFN6dXByZGR5a3A3NjZZYmFGR3MK3F7VqRxqK4AobeCZo0EozK9ZImNl1PGR - MSDa0Ljk5JHaxo5LXdc3bv55BH/97cmFX6HTOY/Lj9ioIHpS/f5p+g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzUmV6Q2dCMWU3TUFkZ0I0 + dHA3dXd2U0RSRzNtL3YvdG8rYWdnOTZoTkMwCkNnYnVlVmMyRDNnS1FmWktlNU9N + UW1OMlJYODVzSHNIZWZMRkpPY05Ed3cKLS0tIDg0b0VkT0NrS3NIWE9EdWtWYXc1 + NjNESHpYbVptcnVRYWFKb3RlYkJ6OWMK3JsRXPDvJdKv2UyYIH8kr/WKbXgUDXbc + fYOD0Huo73BA0vr8PlrsF4STVgJr/arKCMdI1C0bDdcwjExKnR1tIw== + -----END AGE ENCRYPTED FILE----- + - recipient: age198jg29ryg3c0qj3yg6y9ha4ce2ue4hjdaa9kalf49fxju74dhchsquvjzp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTGNKOWczaityaXowWi9I + dmh0MjJoelV3bVlzeGpLZmVTVzJjckwwQUFzCk81ZHlTcm5oWHRQNklreUR4bWNS + OVdQelQ4YXkzeWZqOWZoNWlOVkZpWUkKLS0tIDZKQUU3LzV0UUhnRHVHQkFadkxm + djRyUEYyZ2srMlVxR0JtQlFqSWV1QWcKMIF9Sq4TUUmpVZAukjTjFbIrMxcE3+el + QSrHIm1HXLXwCKLDQ2N6b8Q9iUo/XMV0wsD3TLxdnUfegpQpfsDhag== -----END AGE ENCRYPTED FILE----- lastmodified: "2026-04-14T02:12:27Z" mac: ENC[AES256_GCM,data:6cg659/N2U31u8KQUtRypS7oUb7JfbodrX8wkNjMhDN5cGEDL2wrFZ+51uYblBGhXwLR5Isk7XNSzzgHNsUeQZlJEY2/OUIZ5TOYmKpWUSpSQTwF08MqqNXj9qgSle5yfrvi43+743b50Eh3VExtpF0gpODwunPoBXl0L89Or00=,iv:Kr+GtbwqyElWgnf6mKc1lXPicCvkWoQj5LGy6r7jcM8=,tag:IjmHvCQo9kI5BZFghnUMwg==,type:str] diff --git a/system/machines/server/modules/nginx/default.nix b/system/machines/server/modules/nginx/default.nix index e423815..f12500e 100644 --- a/system/machines/server/modules/nginx/default.nix +++ b/system/machines/server/modules/nginx/default.nix @@ -22,7 +22,6 @@ in ''; }; - searxng.enable = mkEnableOption "Publicly exposed SearXNG endpoint with secret path via sops"; }; config = mkIf cfg.enable { @@ -116,15 +115,6 @@ in }; }; - virtualHosts."searxng.${domain}" = mkIf cfg.searxng.enable { - useACMEHost = domain; - forceSSL = true; - locations."/".return = "404"; - extraConfig = '' - include ${config.sops.templates."nginx-searxng-location.conf".path}; - ''; - }; - virtualHosts."chat.${domain}" = { useACMEHost = domain; forceSSL = true; @@ -139,8 +129,19 @@ in useACMEHost = domain; forceSSL = true; locations."/" = { - proxyPass = "http://192.168.0.23:8000"; + proxyPass = "http://192.168.0.23:8321"; proxyWebsockets = true; + extraConfig = '' + # API key auth — validated against the sops-managed key + set $api_key ""; + if ($http_authorization ~* "^Bearer (.+)$") { + set $api_key $1; + } + if ($api_key = "") { + return 401 '{"error": "Missing Authorization header"}'; + } + include ${config.sops.templates."nginx-ai-auth.conf".path}; + ''; }; }; diff --git a/system/machines/server/system.nix b/system/machines/server/system.nix index b8674dd..b0247a2 100644 --- a/system/machines/server/system.nix +++ b/system/machines/server/system.nix @@ -9,20 +9,18 @@ # Camera RTSP credentials (used by frigate/go2rtc) sops.secrets = let cameras = { sopsFile = ../../../secrets/system/cameras.yaml; }; - searxng = { sopsFile = ../../../secrets/system/searxng.yaml; }; + llama = { sopsFile = ../../../secrets/system/llama.yaml; }; in { "RTSP_USER" = cameras; "RTSP_PASS" = cameras; - "SEARXNG_TOKEN" = searxng; + "LLAMA_API_KEY" = llama; }; - sops.templates."nginx-searxng-location.conf" = { + # API key auth for ai.ramos.codes — nginx validates Bearer token against sops secret + sops.templates."nginx-ai-auth.conf" = { content = '' - location /${config.sops.placeholder."SEARXNG_TOKEN"}/ { - proxy_pass http://192.168.0.23:8080/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; + if ($api_key != "${config.sops.placeholder."LLAMA_API_KEY"}") { + return 401 '{"error": "Invalid API key"}'; } ''; owner = "nginx"; @@ -31,7 +29,6 @@ modules.system = { nginx = { enable = true; - searxng.enable = true; }; sandpack.enable = true; forgejo.enable = true;