From 773fa07046d9425ba1aaba12840f9f0dec842770 Mon Sep 17 00:00:00 2001
From: uttarayan21 <email@uttarayan.me>
Date: Thu, 6 Feb 2025 13:12:32 +0530
Subject: [PATCH] feat: Secure ollama endpoint with bearer tokens

---
 nixos/mirai/services/llama.nix | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/nixos/mirai/services/llama.nix b/nixos/mirai/services/llama.nix
index fe41392b..8484197e 100644
--- a/nixos/mirai/services/llama.nix
+++ b/nixos/mirai/services/llama.nix
@@ -37,10 +37,10 @@
         WEBUI_AUTH = "False";
         ENABLE_LOGIN_FORM = "False";
         WEBUI_URL = "https://llama.darksailor.dev";
-        OLLAMA_BASE_URL = "https://ollama.darksailor.dev";
-        OPENAI_BASE_URL = "https://api.openai.com/v1";
+        # OLLAMA_BASE_URL = "https://ollama.darksailor.dev/v1";
+        OPENAI_BASE_URL = "https://ollama.darksailor.dev/v1";
       };
-      # environmentFile = "${config.sops.templates."OPENAI_API_KEY.env".path}";
+      environmentFile = "${config.sops.templates."LLAMA_API_KEY.env".path}";
     };
 
     caddy = {
@@ -52,7 +52,20 @@
         reverse_proxy localhost:7070
       '';
       virtualHosts."ollama.darksailor.dev".extraConfig = ''
-        reverse_proxy localhost:11434
+        @apikey {
+            header Authorization "Bearer {env.LLAMA_API_KEY}"
+        }
+
+        handle @apikey {
+          header {
+            # Set response headers or proxy to a different service if API key is valid
+            Access-Control-Allow-Origin *
+            -Authorization "Bearer {env.LLAMA_API_KEY}"  # Remove the header after validation
+          }
+          reverse_proxy localhost:11434
+        }
+
+        respond "Unauthorized" 403
       '';
     };
   };