feat: Secure ollama endpoint with bearer tokens

2025-02-06 13:12:32 +05:30
parent dc52311f7f
commit 773fa07046
1 changed files with 17 additions and 4 deletions
--- a/nixos/mirai/services/llama.nix
+++ b/nixos/mirai/services/llama.nix
@@ -37,10 +37,10 @@
        WEBUI_AUTH = "False";
        ENABLE_LOGIN_FORM = "False";
        WEBUI_URL = "https://llama.darksailor.dev";
-        OLLAMA_BASE_URL = "https://ollama.darksailor.dev";
-        OPENAI_BASE_URL = "https://api.openai.com/v1";
+        # OLLAMA_BASE_URL = "https://ollama.darksailor.dev/v1";
+        OPENAI_BASE_URL = "https://ollama.darksailor.dev/v1";
      };
-      # environmentFile = "${config.sops.templates."OPENAI_API_KEY.env".path}";
+      environmentFile = "${config.sops.templates."LLAMA_API_KEY.env".path}";
    };

    caddy = {
@@ -52,7 +52,20 @@
        reverse_proxy localhost:7070
      '';
      virtualHosts."ollama.darksailor.dev".extraConfig = ''
+        @apikey {
+            header Authorization "Bearer {env.LLAMA_API_KEY}"
+        }
+
+        handle @apikey {
+          header {
+            # Set response headers or proxy to a different service if API key is valid
+            Access-Control-Allow-Origin *
+            -Authorization "Bearer {env.LLAMA_API_KEY}"  # Remove the header after validation
+          }
          reverse_proxy localhost:11434
+        }
+
+        respond "Unauthorized" 403
      '';
    };
  };