lib: add mkCaddyReverseProxy, mkFail2banJail, mkGrafanaAnnotationService, extractArrApiKey

services/llama-cpp.nix

@@ -13,6 +13,13 @@ let
   modelAlias = lib.removeSuffix ".gguf" (baseNameOf modelUrl);
 in
 {
+  imports = [
+    (lib.mkCaddyReverseProxy {
+      subdomain = "llm";
+      port = service_configs.ports.private.llama_cpp.port;
+    })
+  ];
+
   services.llama-cpp = {
     enable = true;
     model = toString (
@@ -94,10 +101,4 @@ in
     + " ${utils.escapeSystemdExecArgs cfg.extraFlags}"
   );
 
-  # Auth handled by llama-cpp --api-key-file (Bearer token).
-  # No caddy_auth — the API key is the auth layer, and caddy_auth's basic
-  # auth would block Bearer-only clients like oh-my-pi.
-  services.caddy.virtualHosts."llm.${service_configs.https.domain}".extraConfig = ''
-    reverse_proxy :${toString config.services.llama-cpp.port}
-  '';
 }