Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions auth/caddy/Caddyfile
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,16 @@
reverse_proxy n8n:5678
}

# ---- LiteLLM model gateway (OpenAI-compatible API) for tailnet API clients ----
# Bypasses SSO: programmatic clients (Cline, Cursor, scripts) can't do an
# interactive Google login. Auth is LiteLLM's own Bearer key
# (LITELLM_MASTER_KEY), which model-gateway enforces — so this is safe to
# expose over the tailnet (Caddy binds the tailnet interface only).
# handle_path strips /llm so LiteLLM sees /v1/... (e.g. /llm/v1/chat/completions).
handle_path /llm/* {
reverse_proxy model-gateway:11435
}

# ---- Open WebUI at ROOT (no auth needed for the redirect) ----
# Open WebUI's upstream v0.9.2 image is a prebuilt SvelteKit SPA with
# base="" (assets are root-absolute: /_app, /static, /api, /ws). It MUST be
Expand Down
11 changes: 7 additions & 4 deletions docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -160,10 +160,11 @@ services:
- DASHBOARD_URL=http://dashboard:8080
- THROUGHPUT_RECORD_TOKEN=${THROUGHPUT_RECORD_TOKEN:-}
ports:
# 127.0.0.1 bind: localhost-only host publish. Tailnet peers reach this
# service through Caddy (see auth/caddy/Caddyfile); host apps (Cline,
# VS Code, MCP clients, Hermes auth.json) keep their `localhost:11435`
# connectivity. Removes the prior 0.0.0.0 LAN exposure.
# 127.0.0.1 bind: localhost-only host publish. Tailnet peers reach the
# OpenAI-compatible API via Caddy at https://<tailnet-host>/llm/* — gated
# by the LiteLLM master key, no SSO (see auth/caddy/Caddyfile). Host apps
# (Cline, VS Code, MCP clients, Hermes auth.json) keep their
# `localhost:11435` connectivity. Removes the prior 0.0.0.0 LAN exposure.
- "127.0.0.1:${MODEL_GATEWAY_PORT:-11435}:11435"
healthcheck:
test: ["CMD-SHELL", "python3 -c \"import os, urllib.request; req = urllib.request.Request('http://localhost:11435/v1/models', headers={'Authorization': 'Bearer ' + os.environ.get('LITELLM_MASTER_KEY', 'local')}); urllib.request.urlopen(req)\""]
Expand All @@ -178,6 +179,8 @@ services:
networks:
- frontend
- backend
# proxy-net: lets Caddy (front door) reach this for the /llm/* API route.
- proxy-net

ops-controller:
build: ./ops-controller
Expand Down
Loading