feat: add api keys to llama-swap

modules/home/programs/terminal/pi/default.nix

@@ -2,6 +2,7 @@
 , pkgs
 , config
 , namespace
+, osConfig
 , ...
 }:
 let
@@ -35,18 +36,7 @@ in
 
     # Define Pi Configuration
     home.file = {
-      ".pi/agent/models.json" = {
-        text = builtins.toJSON {
-          providers = {
-            "llama-swap" = {
-              baseUrl = "https://llm-api.va.reichard.io/v1";
-              api = "openai-completions";
-              apiKey = "none";
-              models = helpers.toPiModels llamaSwapConfig;
-            };
-          };
-        };
-      };
+
       ".pi/agent/AGENTS.md" = {
         source = ./config/AGENTS.md;
       };
@@ -64,6 +54,27 @@ in
       };
     };
 
+    # Pi Models Config - Inject llama-swap API key from sops into models.json
+    # so pi can authenticate against the llm-api endpoint.
+    sops = lib.mkIf osConfig.${namespace}.security.sops.enable {
+      secrets."llama_swap_api_keys/pi" = {
+        sopsFile = lib.snowfall.fs.get-file "secrets/common/llama-swap.yaml";
+      };
+      templates."pi-models.json" = {
+        path = "${config.home.homeDirectory}/.pi/agent/models.json";
+        content = builtins.toJSON {
+          providers = {
+            "llama-swap" = {
+              baseUrl = "https://llm-api.va.reichard.io/v1";
+              api = "openai-completions";
+              apiKey = config.sops.placeholder."llama_swap_api_keys/pi";
+              models = helpers.toPiModels llamaSwapConfig;
+            };
+          };
+        };
+      };
+    };
+
     # Merge Nix-Defined Plugins Into Mutable settings.json - We can't symlink
     # this file into the nix store because pi rewrites it at runtime (e.g. to
     # persist the last-used model). Instead, on every activation we use jq to

modules/nixos/services/llama-swap/default.nix

@@ -88,19 +88,22 @@ in
 
     # Create Config
     sops = {
-      secrets.synthetic_apikey = {
-        sopsFile = lib.snowfall.fs.get-file "secrets/common/systems.yaml";
+      secrets = {
+        "llama_swap_api_keys/pi" = {
+          sopsFile = lib.snowfall.fs.get-file "secrets/common/llama-swap.yaml";
+        };
       };
       templates."llama-swap.json" = {
         owner = "llama-swap";
         group = "llama-swap";
         mode = "0400";
-        content = builtins.toJSON cfg.config;
-        # content = builtins.toJSON (
-        #   recursiveUpdate cfg.config {
-        #     peers.synthetic.apiKey = config.sops.placeholder.synthetic_apikey;
-        #   }
-        # );
+        content = builtins.toJSON (
+          recursiveUpdate cfg.config {
+            apiKeys = [
+              config.sops.placeholder."llama_swap_api_keys/pi"
+            ];
+          }
+        );
       };
     };