Merge branch 'master' of ssh://git.joshuabell.xyz:3032/ringofstorms/dotfiles

Add secrets-bao and load litellm env from /run/secrets
2026-01-06 23:53:44 -06:00 · 2026-01-06 23:44:39 -06:00
2 changed files with 38 additions and 4 deletions
--- a/hosts/h001/flake.nix
+++ b/hosts/h001/flake.nix
@ -21,6 +21,7 @@
    secrets.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/secrets";
    # beszel.url = "path:../../flakes/beszel";
    beszel.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/beszel";
+    secrets-bao.url = "path:../../flakes/secrets-bao";

    ros_neovim.url = "git+https://git.joshuabell.xyz/ringofstorms/nvim";

@ -80,6 +81,42 @@
                };
              })

+              inputs.secrets-bao.nixosModules.default
+              (
+                { inputs, lib, ... }:
+                let
+                  secrets = {
+                    litellm-env = {
+                      owner = "root";
+                      group = "root";
+                      mode = "0400";
+                      path = "/run/secrets/litellm.env";
+                      softDepend = [ "litellm" ];
+                      template = ''
+                        {{- with secret "kv/data/machines/home/openrouter" -}}OPENROUTER_API_KEY={{ .Data.data.api-key }}{{ end }}
+                        {{- with secret "kv/data/machines/home/anthropic-claude" -}}
+                        ANTHROPIC_API_KEY={{ .Data.data.api-key }}{{ end -}}
+                      '';
+                    };
+                  };
+                in
+                lib.mkMerge [
+                  {
+                    ringofstorms.secretsBao = {
+                      enable = true;
+                      zitadelKeyPath = "/machine-key.json";
+                      openBaoAddr = "https://sec.joshuabell.xyz";
+                      jwtAuthMountPath = "auth/zitadel-jwt";
+                      openBaoRole = "machines";
+                      zitadelIssuer = "https://sso.joshuabell.xyz";
+                      zitadelProjectId = "344379162166820867";
+                      inherit secrets;
+                    };
+                  }
+                  (inputs.secrets-bao.lib.applyConfigChanges secrets)
+                ]
+              )
+
              nixarr.nixosModules.default
              ./hardware-configuration.nix
              ./mods
--- a/hosts/h001/mods/litellm.nix
+++ b/hosts/h001/mods/litellm.nix
@ -27,6 +27,7 @@ in
      host = "0.0.0.0";
      openFirewall = false;
      package = pkgsLitellm.litellm;
+      environmentFile = "/run/secrets/litellm.env";
      environment = {
        SCARF_NO_ANALYTICS = "True";
        DO_NOT_TRACK = "True";
@ -37,10 +38,6 @@ in
      settings = {
        environment_variables = {
          LITELLM_PROXY_API_KEY = "na";
-
-          # TODO get from openbao secrets somehow
-          OPENROUTER_API_KEY = "kv/data/machines/home/openrouter api-key";
-          ANTHROPIC_API_KEY = "kv/data/machines/home/anthropic-claude api-key";
        };
        litellm_settings = {
          check_provider_endpoints = true;
Author	SHA1	Message	Date
RingOfStorms (Joshua Bell)	3602b04397	Merge branch 'master' of ssh://git.joshuabell.xyz:3032/ringofstorms/dotfiles	2026-01-06 23:53:44 -06:00
RingOfStorms (Joshua Bell)	0390a6f8f0	Add secrets-bao and load litellm env from /run/secrets	2026-01-06 23:44:39 -06:00