From 1d69107ebba01865ea028f30009d77f7cc7ce85a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Kr=C3=BCger?= <valknar@pivoine.art>
Date: Sun, 9 Nov 2025 17:56:34 +0100
Subject: [PATCH] feat: expose LiteLLM publicly for Codex CLI integration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Added Traefik configuration to make LiteLLM accessible at llm.ai.pivoine.art
for use with @openai/codex CLI tool.

Changes:
- Added AI_LITELLM_TRAEFIK_HOST to arty.yml (llm.ai.pivoine.art)
- Updated ai/compose.yaml litellm service with full Traefik labels
- HTTP to HTTPS redirect
- SSL termination via Let's Encrypt
- Compression and security headers

This allows external tools like Codex to use Claude models via
OpenAI-compatible API endpoint.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 ai/compose.yaml | 17 +++++++++++++++--
 arty.yml        |  1 +
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/ai/compose.yaml b/ai/compose.yaml
index 4df7f7d..bcac9ae 100644
--- a/ai/compose.yaml
+++ b/ai/compose.yaml
@@ -108,8 +108,21 @@ services:
       retries: 3
       start_period: 20s
     labels:
-      # No Traefik exposure - internal only
-      - 'traefik.enable=false'
+      - 'traefik.enable=${AI_TRAEFIK_ENABLED}'
+      # HTTP to HTTPS redirect
+      - 'traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-litellm-redirect-web-secure.redirectscheme.scheme=https'
+      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-litellm-web.middlewares=${AI_COMPOSE_PROJECT_NAME}-litellm-redirect-web-secure'
+      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-litellm-web.rule=Host(`${AI_LITELLM_TRAEFIK_HOST}`)'
+      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-litellm-web.entrypoints=web'
+      # HTTPS router
+      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-litellm-web-secure.rule=Host(`${AI_LITELLM_TRAEFIK_HOST}`)'
+      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-litellm-web-secure.tls.certresolver=resolver'
+      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-litellm-web-secure.entrypoints=web-secure'
+      - 'traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-litellm-web-secure-compress.compress=true'
+      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-litellm-web-secure.middlewares=${AI_COMPOSE_PROJECT_NAME}-litellm-web-secure-compress,security-headers@file'
+      # Service
+      - 'traefik.http.services.${AI_COMPOSE_PROJECT_NAME}-litellm-web-secure.loadbalancer.server.port=4000'
+      - 'traefik.docker.network=${NETWORK_NAME}'
       # Watchtower
       - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'
 
diff --git a/arty.yml b/arty.yml
index 86b2f92..1e090d9 100644
--- a/arty.yml
+++ b/arty.yml
@@ -182,6 +182,7 @@ envs:
     AI_VECTOR_DB: pgvector
     AI_CRAWL4AI_PORT: 11235
     AI_OPENAI_API_BASE_URLS: https://api.anthropic.com/v1
+    AI_LITELLM_TRAEFIK_HOST: llm.ai.pivoine.art
     # Asciinema
     ASCIINEMA_TRAEFIK_ENABLED: true
     ASCIINEMA_COMPOSE_PROJECT_NAME: asciinema