evan/nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(home/pi): use config instead of osConfig for sops checks, cleanup formatting

Browse Source
This commit is contained in:
Evan Reichard
2026-05-04 12:20:59 -04:00
parent 3095515963
commit 0e3658615a
1 changed files with 19 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
modules/home/programs/terminal/pi/default.nix
View File

@@ -1,9 +1,9 @@
{ lib {
, pkgs lib,
, config pkgs,
, namespace config,
, osConfig namespace,
, ... ...
}: }:
let let
inherit (lib) mkIf; inherit (lib) mkIf;
@@ -35,19 +35,15 @@ let
]; ];
piAuthJqRawfiles = lib.concatStringsSep " \\\n " ( piAuthJqRawfiles = lib.concatStringsSep " \\\n " (
map map (
(
auth: ''--rawfile ${auth.jqVar} "${config.sops.secrets.${auth.secretName}.path}"'' auth: ''--rawfile ${auth.jqVar} "${config.sops.secrets.${auth.secretName}.path}"''
) ) piAuthApiKeys
piAuthApiKeys
); );
piAuthJqFilter = lib.concatStringsSep " | " ( piAuthJqFilter = lib.concatStringsSep " | " (
map map (
(
auth: ''.["${auth.provider}"] = { type: "api_key", key: ($'' + auth.jqVar + ''| rtrimstr("\n")) }'' auth: ''.["${auth.provider}"] = { type: "api_key", key: ($'' + auth.jqVar + ''| rtrimstr("\n")) }''
) ) piAuthApiKeys
piAuthApiKeys
); );
piAuthMergeScript = pkgs.writeShellScript "pi-auth-merge" '' piAuthMergeScript = pkgs.writeShellScript "pi-auth-merge" ''
@@ -113,19 +109,17 @@ in
# Pi Models Config - Inject llama-swap API key from sops into models.json # Pi Models Config - Inject llama-swap API key from sops into models.json
# so pi can authenticate against the llm-api endpoint. # so pi can authenticate against the llm-api endpoint.
sops = lib.mkIf osConfig.${namespace}.security.sops.enable { sops = lib.mkIf config.${namespace}.security.sops.enable {
secrets = { secrets = {
"llama_swap_api_keys/pi" = { "llama_swap_api_keys/pi" = {
sopsFile = lib.snowfall.fs.get-file "secrets/common/llama-swap.yaml"; sopsFile = lib.snowfall.fs.get-file "secrets/common/llama-swap.yaml";
}; };
} }
// lib.listToAttrs ( // lib.listToAttrs (
map map (auth: {
(auth: {
name = auth.secretName; name = auth.secretName;
value.sopsFile = auth.sopsFile; value.sopsFile = auth.sopsFile;
}) }) piAuthApiKeys
piAuthApiKeys
); );
templates."pi-models.json" = { templates."pi-models.json" = {
path = "${config.home.homeDirectory}/.pi/agent/models.json"; path = "${config.home.homeDirectory}/.pi/agent/models.json";
@@ -159,7 +153,7 @@ in
# Merge Api Key Auth Into Mutable auth.json - Pi needs auth.json to stay # Merge Api Key Auth Into Mutable auth.json - Pi needs auth.json to stay
# writable, so merge sops-managed API keys instead of symlinking the whole # writable, so merge sops-managed API keys instead of symlinking the whole
# file. Existing provider auth entries are preserved. # file. Existing provider auth entries are preserved.
home.activation.piAuthMerge = lib.mkIf osConfig.${namespace}.security.sops.enable ( home.activation.piAuthMerge = lib.mkIf config.${namespace}.security.sops.enable (
config.lib.dag.entryAfter [ "sops-nix" "writeBoundary" ] '' config.lib.dag.entryAfter [ "sops-nix" "writeBoundary" ] ''
${piAuthMergeScript} ${piAuthMergeScript}
'' ''
@@ -168,7 +162,7 @@ in
# Run Pi Auth Merge After Sops - During NixOS system activation, sops-nix # Run Pi Auth Merge After Sops - During NixOS system activation, sops-nix
# can be restarted asynchronously and secrets may not exist yet. This user # can be restarted asynchronously and secrets may not exist yet. This user
# service retries the merge in the normal user systemd graph after sops-nix. # service retries the merge in the normal user systemd graph after sops-nix.
systemd.user.services.pi-auth-merge = lib.mkIf osConfig.${namespace}.security.sops.enable { systemd.user.services.pi-auth-merge = lib.mkIf config.${namespace}.security.sops.enable {
Unit = { Unit = {
Description = "Merge sops-managed Pi auth entries"; Description = "Merge sops-managed Pi auth entries";
After = [ "sops-nix.service" ]; After = [ "sops-nix.service" ];