bryan/nixos
0
0
Fork 0
mirror of https://github.com/itme-brain/nixos.git synced 2026-05-08 14:50:12 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

added llama-stack

Browse source
This commit is contained in:
Bryan Ramos 2026-04-13 23:12:50 -04:00
parent 07586a80ee
commit c41a6ff637
4 changed files with 35 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

5
.sops.yaml
View file

@ -12,11 +12,12 @@ creation_rules:
key_groups: key_groups:
- age: - age:
- *desktop - *desktop
# Desktop secrets # Shared secrets (desktop + server)
- path_regex: secrets/system/llama\.yaml$ # llama.cpp API key - path_regex: secrets/system/llama\.yaml$ # llama.cpp API key
key_groups: key_groups:
- age: - age:
- *desktop - *desktop
- *server
# Server secrets (cameras) # Server secrets (cameras)
- path_regex: secrets/system/cameras\.yaml$ # RTSP Feed - path_regex: secrets/system/cameras\.yaml$ # RTSP Feed
key_groups: key_groups:

19
secrets/system/llama.yaml
View file

@ -4,11 +4,20 @@ sops:
- recipient: age17ejyzyk52unr6eyaa9rpunxpmf7u9726v6sx7me3ww3mdu5xzgjqsgj9gl - recipient: age17ejyzyk52unr6eyaa9rpunxpmf7u9726v6sx7me3ww3mdu5xzgjqsgj9gl
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIeHdwYnhLTkFCWEg4c1Na YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzUmV6Q2dCMWU3TUFkZ0I0
aHlGY2lGaU5DclpnLzRvK0RTaERubFBDQjNZCnZRdmF6bk1ENWFHVm9zTFJGRW5j dHA3dXd2U0RSRzNtL3YvdG8rYWdnOTZoTkMwCkNnYnVlVmMyRDNnS1FmWktlNU9N
aTZWM0F2Z0N2S2JnOWJVRlJOL0ZHZ2sKLS0tIGtNNjRVM3pJb0dYUDhiemNxb05C UW1OMlJYODVzSHNIZWZMRkpPY05Ed3cKLS0tIDg0b0VkT0NrS3NIWE9EdWtWYXc1
SFF2bFN6dXByZGR5a3A3NjZZYmFGR3MK3F7VqRxqK4AobeCZo0EozK9ZImNl1PGR NjNESHpYbVptcnVRYWFKb3RlYkJ6OWMK3JsRXPDvJdKv2UyYIH8kr/WKbXgUDXbc
MSDa0Ljk5JHaxo5LXdc3bv55BH/97cmFX6HTOY/Lj9ioIHpS/f5p+g== fYOD0Huo73BA0vr8PlrsF4STVgJr/arKCMdI1C0bDdcwjExKnR1tIw==
-----END AGE ENCRYPTED FILE-----
- recipient: age198jg29ryg3c0qj3yg6y9ha4ce2ue4hjdaa9kalf49fxju74dhchsquvjzp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTGNKOWczaityaXowWi9I
dmh0MjJoelV3bVlzeGpLZmVTVzJjckwwQUFzCk81ZHlTcm5oWHRQNklreUR4bWNS
OVdQelQ4YXkzeWZqOWZoNWlOVkZpWUkKLS0tIDZKQUU3LzV0UUhnRHVHQkFadkxm
djRyUEYyZ2srMlVxR0JtQlFqSWV1QWcKMIF9Sq4TUUmpVZAukjTjFbIrMxcE3+el
QSrHIm1HXLXwCKLDQ2N6b8Q9iUo/XMV0wsD3TLxdnUfegpQpfsDhag==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-14T02:12:27Z" lastmodified: "2026-04-14T02:12:27Z"
mac: ENC[AES256_GCM,data:6cg659/N2U31u8KQUtRypS7oUb7JfbodrX8wkNjMhDN5cGEDL2wrFZ+51uYblBGhXwLR5Isk7XNSzzgHNsUeQZlJEY2/OUIZ5TOYmKpWUSpSQTwF08MqqNXj9qgSle5yfrvi43+743b50Eh3VExtpF0gpODwunPoBXl0L89Or00=,iv:Kr+GtbwqyElWgnf6mKc1lXPicCvkWoQj5LGy6r7jcM8=,tag:IjmHvCQo9kI5BZFghnUMwg==,type:str] mac: ENC[AES256_GCM,data:6cg659/N2U31u8KQUtRypS7oUb7JfbodrX8wkNjMhDN5cGEDL2wrFZ+51uYblBGhXwLR5Isk7XNSzzgHNsUeQZlJEY2/OUIZ5TOYmKpWUSpSQTwF08MqqNXj9qgSle5yfrvi43+743b50Eh3VExtpF0gpODwunPoBXl0L89Or00=,iv:Kr+GtbwqyElWgnf6mKc1lXPicCvkWoQj5LGy6r7jcM8=,tag:IjmHvCQo9kI5BZFghnUMwg==,type:str]

23
system/machines/server/modules/nginx/default.nix
View file

@ -22,7 +22,6 @@ in
''; '';
}; };
searxng.enable = mkEnableOption "Publicly exposed SearXNG endpoint with secret path via sops";
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -116,15 +115,6 @@ in
}; };
}; };
virtualHosts."searxng.${domain}" = mkIf cfg.searxng.enable {
useACMEHost = domain;
forceSSL = true;
locations."/".return = "404";
extraConfig = ''
include ${config.sops.templates."nginx-searxng-location.conf".path};
'';
};
virtualHosts."chat.${domain}" = { virtualHosts."chat.${domain}" = {
useACMEHost = domain; useACMEHost = domain;
forceSSL = true; forceSSL = true;
@ -139,8 +129,19 @@ in
useACMEHost = domain; useACMEHost = domain;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
proxyPass = "http://192.168.0.23:8000"; proxyPass = "http://192.168.0.23:8321";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = ''
# API key auth — validated against the sops-managed key
set $api_key "";
if ($http_authorization ~* "^Bearer (.+)$") {
set $api_key $1;
}
if ($api_key = "") {
return 401 '{"error": "Missing Authorization header"}';
}
include ${config.sops.templates."nginx-ai-auth.conf".path};
'';
}; };
}; };

15
system/machines/server/system.nix
View file

@ -9,20 +9,18 @@
# Camera RTSP credentials (used by frigate/go2rtc) # Camera RTSP credentials (used by frigate/go2rtc)
sops.secrets = let sops.secrets = let
cameras = { sopsFile = ../../../secrets/system/cameras.yaml; }; cameras = { sopsFile = ../../../secrets/system/cameras.yaml; };
searxng = { sopsFile = ../../../secrets/system/searxng.yaml; }; llama = { sopsFile = ../../../secrets/system/llama.yaml; };
in { in {
"RTSP_USER" = cameras; "RTSP_USER" = cameras;
"RTSP_PASS" = cameras; "RTSP_PASS" = cameras;
"SEARXNG_TOKEN" = searxng; "LLAMA_API_KEY" = llama;
}; };
sops.templates."nginx-searxng-location.conf" = { # API key auth for ai.ramos.codes — nginx validates Bearer token against sops secret
sops.templates."nginx-ai-auth.conf" = {
content = '' content = ''
location /${config.sops.placeholder."SEARXNG_TOKEN"}/ { if ($api_key != "${config.sops.placeholder."LLAMA_API_KEY"}") {
proxy_pass http://192.168.0.23:8080/; return 401 '{"error": "Invalid API key"}';
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
} }
''; '';
owner = "nginx"; owner = "nginx";
@ -31,7 +29,6 @@
modules.system = { modules.system = {
nginx = { nginx = {
enable = true; enable = true;
searxng.enable = true;
}; };
sandpack.enable = true; sandpack.enable = true;
forgejo.enable = true; forgejo.enable = true;