api key

system/machines/server/modules/nginx/default.nix

@@ -163,6 +163,7 @@ in
           proxyPass = "http://192.168.0.23:8002/";
           proxyWebsockets = true;
           extraConfig = ''
+            include ${config.sops.templates."nginx-mcp-auth.conf".path};
             proxy_read_timeout 300s;
             proxy_send_timeout 300s;
           '';

system/machines/server/system.nix

@@ -26,6 +26,16 @@
     owner = "nginx";
   };
 
+  # MCP endpoint auth — validates X-API-Key header
+  sops.templates."nginx-mcp-auth.conf" = {
+    content = ''
+      if ($http_x_api_key != "${config.sops.placeholder."LLAMA_API_KEY"}") {
+        return 401 '{"error": "Unauthorized"}';
+      }
+    '';
+    owner = "nginx";
+  };
+
   modules.system = {
     nginx = {
       enable = true;