llama-cpp: add API key auth via --api-key-file

Generate and encrypt a Bearer token for llama-cpp's built-in auth. Remove caddy_auth from the vhost since basic auth blocks Bearer-only clients. Internal sidecars (xmrig-pause, annotations) connect directly to localhost and are unaffected (/slots is public).
2026-04-02 18:02:23 -04:00
parent bfe7a65db2
commit 0aeb6c5523
3 changed files with 13 additions and 1 deletions
--- a/modules/age-secrets.nix
+++ b/modules/age-secrets.nix
@@ -159,5 +159,13 @@
      owner = "gitea-runner";
      group = "gitea-runner";
    };
+
+    # llama-cpp API key for bearer token auth
+    llama-cpp-api-key = {
+      file = ../secrets/llama-cpp-api-key.age;
+      mode = "0400";
+      owner = "root";
+      group = "root";
+    };
  };
 }