ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add secrets-bao and load litellm env from /run/secrets

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2026-01-06 23:44:39 -06:00
parent de0a6add72
commit 0390a6f8f0
2 changed files with 38 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

37
hosts/h001/flake.nix
View file

@ -21,6 +21,7 @@
secrets.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/secrets"; secrets.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/secrets";
# beszel.url = "path:../../flakes/beszel"; # beszel.url = "path:../../flakes/beszel";
beszel.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/beszel"; beszel.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/beszel";
secrets-bao.url = "path:../../flakes/secrets-bao";
ros_neovim.url = "git+https://git.joshuabell.xyz/ringofstorms/nvim"; ros_neovim.url = "git+https://git.joshuabell.xyz/ringofstorms/nvim";
@ -80,6 +81,42 @@
}; };
}) })
inputs.secrets-bao.nixosModules.default
(
{ inputs, lib, ... }:
let
secrets = {
litellm-env = {
owner = "root";
group = "root";
mode = "0400";
path = "/run/secrets/litellm.env";
softDepend = [ "litellm" ];
template = ''
{{- with secret "kv/data/machines/home/openrouter" -}}OPENROUTER_API_KEY={{ .Data.data.api-key }}{{ end }}
{{- with secret "kv/data/machines/home/anthropic-claude" -}}
ANTHROPIC_API_KEY={{ .Data.data.api-key }}{{ end -}}
'';
};
};
in
lib.mkMerge [
{
ringofstorms.secretsBao = {
enable = true;
zitadelKeyPath = "/machine-key.json";
openBaoAddr = "https://sec.joshuabell.xyz";
jwtAuthMountPath = "auth/zitadel-jwt";
openBaoRole = "machines";
zitadelIssuer = "https://sso.joshuabell.xyz";
zitadelProjectId = "344379162166820867";
inherit secrets;
};
}
(inputs.secrets-bao.lib.applyConfigChanges secrets)
]
)
nixarr.nixosModules.default nixarr.nixosModules.default
./hardware-configuration.nix ./hardware-configuration.nix
./mods ./mods

5
hosts/h001/mods/litellm.nix
View file

@ -27,6 +27,7 @@ in
host = "0.0.0.0"; host = "0.0.0.0";
openFirewall = false; openFirewall = false;
package = pkgsLitellm.litellm; package = pkgsLitellm.litellm;
environmentFile = "/run/secrets/litellm.env";
environment = { environment = {
SCARF_NO_ANALYTICS = "True"; SCARF_NO_ANALYTICS = "True";
DO_NOT_TRACK = "True"; DO_NOT_TRACK = "True";
@ -37,10 +38,6 @@ in
settings = { settings = {
environment_variables = { environment_variables = {
LITELLM_PROXY_API_KEY = "na"; LITELLM_PROXY_API_KEY = "na";
# TODO get from openbao secrets somehow
OPENROUTER_API_KEY = "kv/data/machines/home/openrouter api-key";
ANTHROPIC_API_KEY = "kv/data/machines/home/anthropic-claude api-key";
}; };
litellm_settings = { litellm_settings = {
check_provider_endpoints = true; check_provider_endpoints = true;