added llama-stack

2026-05-08 14:50:12 -04:00 · 2026-04-13 23:12:50 -04:00 · 2026-04-13 23:12:50 -04:00 · c41a6ff637
commit c41a6ff637
parent 07586a80ee
4 changed files with 35 additions and 27 deletions
--- a/system/machines/server/modules/nginx/default.nix
+++ b/system/machines/server/modules/nginx/default.nix
@ -22,7 +22,6 @@ in
      '';
    };

-    searxng.enable = mkEnableOption "Publicly exposed SearXNG endpoint with secret path via sops";
  };

  config = mkIf cfg.enable {
@ -116,15 +115,6 @@ in
        };
      };

-      virtualHosts."searxng.${domain}" = mkIf cfg.searxng.enable {
-        useACMEHost = domain;
-        forceSSL = true;
-        locations."/".return = "404";
-        extraConfig = ''
-          include ${config.sops.templates."nginx-searxng-location.conf".path};
-        '';
-      };
-
      virtualHosts."chat.${domain}" = {
        useACMEHost = domain;
        forceSSL = true;
@ -139,8 +129,19 @@ in
        useACMEHost = domain;
        forceSSL = true;
        locations."/" = {
-          proxyPass = "http://192.168.0.23:8000";
+          proxyPass = "http://192.168.0.23:8321";
          proxyWebsockets = true;
+          extraConfig = ''
+            # API key auth — validated against the sops-managed key
+            set $api_key "";
+            if ($http_authorization ~* "^Bearer (.+)$") {
+              set $api_key $1;
+            }
+            if ($api_key = "") {
+              return 401 '{"error": "Missing Authorization header"}';
+            }
+            include ${config.sops.templates."nginx-ai-auth.conf".path};
+          '';
        };
      };

--- a/system/machines/server/system.nix
+++ b/system/machines/server/system.nix
@ -9,20 +9,18 @@
  # Camera RTSP credentials (used by frigate/go2rtc)
  sops.secrets = let
    cameras = { sopsFile = ../../../secrets/system/cameras.yaml; };
-    searxng = { sopsFile = ../../../secrets/system/searxng.yaml; };
+    llama = { sopsFile = ../../../secrets/system/llama.yaml; };
  in {
    "RTSP_USER" = cameras;
    "RTSP_PASS" = cameras;
-    "SEARXNG_TOKEN" = searxng;
+    "LLAMA_API_KEY" = llama;
  };

-  sops.templates."nginx-searxng-location.conf" = {
+  # API key auth for ai.ramos.codes — nginx validates Bearer token against sops secret
+  sops.templates."nginx-ai-auth.conf" = {
    content = ''
-      location /${config.sops.placeholder."SEARXNG_TOKEN"}/ {
-        proxy_pass http://192.168.0.23:8080/;
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
+      if ($api_key != "${config.sops.placeholder."LLAMA_API_KEY"}") {
+        return 401 '{"error": "Invalid API key"}';
      }
    '';
    owner = "nginx";
@ -31,7 +29,6 @@
  modules.system = {
    nginx = {
      enable = true;
-      searxng.enable = true;
    };
    sandpack.enable = true;
    forgejo.enable = true;