feat(litellm): support dynamic master key via extra vars and generate caddy bcrypt hash on the fly

2026-06-11 16:33:17 +08:00 · 2026-06-11 16:33:17 +08:00 · 814a81f088
commit 814a81f088
parent ed8a78e932
3 changed files with 17 additions and 6 deletions
--- a/host_vars/jp-xhttp-contabo.svc.plus/litellm.yml
+++ b/host_vars/jp-xhttp-contabo.svc.plus/litellm.yml
@ -1,9 +1,6 @@
 ---
 # LiteLLM Admin UI Credentials
-# Caddy basicauth: username + password (LITELLM_MASTER_KEY)
-litellm_master_key: "sk-master-admin-12345"
 litellm_basic_auth_username: admin
-litellm_basic_auth_password_hash: "$2a$14$DtnTj70zpt0hiWkgyH2pNudN3D9uLLXjJsS.UJWXVy0mB567WEAs."

 # Database Configuration
 litellm_database_host: "127.0.0.1"
--- a/roles/vhosts/litellm/defaults/main.yml
+++ b/roles/vhosts/litellm/defaults/main.yml
@ -10,8 +10,8 @@ litellm_config_file: "{{ litellm_config_dir }}/config.yaml"
 litellm_env_file: "{{ litellm_config_dir }}/litellm.env"
 litellm_systemd_unit_path: "/etc/systemd/system/{{ litellm_service_name }}.service"

-litellm_master_key: "{{ lookup('ansible.builtin.env', 'LITELLM_MASTER_KEY') | default(lookup('password', '/dev/null length=32 chars=ascii_letters,digits'), true) }}"
-litellm_salt_key: "{{ lookup('ansible.builtin.env', 'LITELLM_SALT_KEY') | default(lookup('password', '/dev/null length=32 chars=ascii_letters,digits'), true) }}"
+litellm_master_key: "{{ lookup('ansible.builtin.env', 'LITELLM_MASTER_KEY') | default('sk-master-admin-12345', true) }}"
+litellm_salt_key: "{{ lookup('ansible.builtin.env', 'LITELLM_SALT_KEY') | default(lookup('password', '/tmp/.litellm_salt_key length=32 chars=ascii_letters,digits'), true) }}"

 litellm_ui_username: "{{ lookup('ansible.builtin.env', 'LITELLM_UI_USERNAME') | default('admin', true) }}"
 litellm_ui_password: "{{ litellm_master_key }}"
@ -20,7 +20,7 @@ litellm_caddyfile_path: /etc/caddy/Caddyfile
 litellm_caddy_conf_dir: /etc/caddy/conf.d

 litellm_basic_auth_username: "{{ litellm_ui_username }}"
-litellm_basic_auth_password_hash: "$2a$14$b2oxMvD0p5ByjdCA18Go5u1qTjPeDjDzzXIanGVXdYIO6fvKf2cY."
+# litellm_basic_auth_password_hash is generated dynamically via tasks

 litellm_api_domain: api.svc.plus
 litellm_ui_domain: litellm.svc.plus
--- a/roles/vhosts/litellm/tasks/main.yml
+++ b/roles/vhosts/litellm/tasks/main.yml
@ -85,9 +85,23 @@
    group: root
    mode: "0755"

+- name: Generate bcrypt hash for LiteLLM UI basic auth
+  ansible.builtin.command: caddy hash-password --plaintext "{{ litellm_master_key }}"
+  register: caddy_hash_result
+  changed_when: false
+  no_log: true
+  when: litellm_enable_basic_auth
+
+- name: Set litellm_basic_auth_password_hash fact
+  ansible.builtin.set_fact:
+    litellm_basic_auth_password_hash: "{{ caddy_hash_result.stdout }}"
+  no_log: true
+  when: litellm_enable_basic_auth
+
 - name: Ensure Caddy imports managed fragments
  ansible.builtin.lineinfile:
    path: "{{ litellm_caddyfile_path }}"
+    regexp: "^import {{ litellm_caddy_conf_dir }}/\\*\\.caddy"
    line: "import {{ litellm_caddy_conf_dir }}/*.caddy"
    insertafter: EOF
    create: true