From d8be05169ca4646793915967fcd21da8962d3a2f Mon Sep 17 00:00:00 2001
From: Bryan Ramos <bryan@ramos.codes>
Date: Tue, 14 Apr 2026 00:55:20 -0400
Subject: [PATCH] api key

---
 system/machines/server/modules/nginx/default.nix |  1 +
 system/machines/server/system.nix                | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/system/machines/server/modules/nginx/default.nix b/system/machines/server/modules/nginx/default.nix
index 8e03e7c..41e7687 100644
--- a/system/machines/server/modules/nginx/default.nix
+++ b/system/machines/server/modules/nginx/default.nix
@@ -163,6 +163,7 @@ in
           proxyPass = "http://192.168.0.23:8002/";
           proxyWebsockets = true;
           extraConfig = ''
+            include ${config.sops.templates."nginx-mcp-auth.conf".path};
             proxy_read_timeout 300s;
             proxy_send_timeout 300s;
           '';
diff --git a/system/machines/server/system.nix b/system/machines/server/system.nix
index 3572a8b..43b75f6 100644
--- a/system/machines/server/system.nix
+++ b/system/machines/server/system.nix
@@ -26,6 +26,16 @@
     owner = "nginx";
   };
 
+  # MCP endpoint auth — validates X-API-Key header
+  sops.templates."nginx-mcp-auth.conf" = {
+    content = ''
+      if ($http_x_api_key != "${config.sops.placeholder."LLAMA_API_KEY"}") {
+        return 401 '{"error": "Unauthorized"}';
+      }
+    '';
+    owner = "nginx";
+  };
+
   modules.system = {
     nginx = {
       enable = true;