From 0e3658615acedae474f381189a7f348ae0f294af Mon Sep 17 00:00:00 2001
From: Evan Reichard <evan@reichard.io>
Date: Mon, 4 May 2026 12:20:59 -0400
Subject: [PATCH] fix(home/pi): use config instead of osConfig for sops checks,
 cleanup formatting

---
 modules/home/programs/terminal/pi/default.nix | 44 ++++++++-----------
 1 file changed, 19 insertions(+), 25 deletions(-)

diff --git a/modules/home/programs/terminal/pi/default.nix b/modules/home/programs/terminal/pi/default.nix
index 4fc00c5..b243f67 100755
--- a/modules/home/programs/terminal/pi/default.nix
+++ b/modules/home/programs/terminal/pi/default.nix
@@ -1,9 +1,9 @@
-{ lib
-, pkgs
-, config
-, namespace
-, osConfig
-, ...
+{
+  lib,
+  pkgs,
+  config,
+  namespace,
+  ...
 }:
 let
   inherit (lib) mkIf;
@@ -35,19 +35,15 @@ let
   ];
 
   piAuthJqRawfiles = lib.concatStringsSep " \\\n          " (
-    map
-      (
-        auth: ''--rawfile ${auth.jqVar} "${config.sops.secrets.${auth.secretName}.path}"''
-      )
-      piAuthApiKeys
+    map (
+      auth: ''--rawfile ${auth.jqVar} "${config.sops.secrets.${auth.secretName}.path}"''
+    ) piAuthApiKeys
   );
 
   piAuthJqFilter = lib.concatStringsSep " | " (
-    map
-      (
-        auth: ''.["${auth.provider}"] = { type: "api_key", key: ($'' + auth.jqVar + ''| rtrimstr("\n")) }''
-      )
-      piAuthApiKeys
+    map (
+      auth: ''.["${auth.provider}"] = { type: "api_key", key: ($'' + auth.jqVar + ''| rtrimstr("\n")) }''
+    ) piAuthApiKeys
   );
 
   piAuthMergeScript = pkgs.writeShellScript "pi-auth-merge" ''
@@ -113,19 +109,17 @@ in
 
     # Pi Models Config - Inject llama-swap API key from sops into models.json
     # so pi can authenticate against the llm-api endpoint.
-    sops = lib.mkIf osConfig.${namespace}.security.sops.enable {
+    sops = lib.mkIf config.${namespace}.security.sops.enable {
       secrets = {
         "llama_swap_api_keys/pi" = {
           sopsFile = lib.snowfall.fs.get-file "secrets/common/llama-swap.yaml";
         };
       }
       // lib.listToAttrs (
-        map
-          (auth: {
-            name = auth.secretName;
-            value.sopsFile = auth.sopsFile;
-          })
-          piAuthApiKeys
+        map (auth: {
+          name = auth.secretName;
+          value.sopsFile = auth.sopsFile;
+        }) piAuthApiKeys
       );
       templates."pi-models.json" = {
         path = "${config.home.homeDirectory}/.pi/agent/models.json";
@@ -159,7 +153,7 @@ in
     # Merge Api Key Auth Into Mutable auth.json - Pi needs auth.json to stay
     # writable, so merge sops-managed API keys instead of symlinking the whole
     # file. Existing provider auth entries are preserved.
-    home.activation.piAuthMerge = lib.mkIf osConfig.${namespace}.security.sops.enable (
+    home.activation.piAuthMerge = lib.mkIf config.${namespace}.security.sops.enable (
       config.lib.dag.entryAfter [ "sops-nix" "writeBoundary" ] ''
         ${piAuthMergeScript}
       ''
@@ -168,7 +162,7 @@ in
     # Run Pi Auth Merge After Sops - During NixOS system activation, sops-nix
     # can be restarted asynchronously and secrets may not exist yet. This user
     # service retries the merge in the normal user systemd graph after sops-nix.
-    systemd.user.services.pi-auth-merge = lib.mkIf osConfig.${namespace}.security.sops.enable {
+    systemd.user.services.pi-auth-merge = lib.mkIf config.${namespace}.security.sops.enable {
       Unit = {
         Description = "Merge sops-managed Pi auth entries";
         After = [ "sops-nix.service" ];