evan/nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add api keys to llama-swap

Browse Source
This commit is contained in:
Evan Reichard
2026-05-01 22:12:51 -04:00
parent 43a1d66e6b
commit e4d40d89d9
4 changed files with 126 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
.sops.yaml
View File

@@ -27,6 +27,17 @@ creation_rules:
- *system_lin-va-desktop
- *system_lin-va-thinkpad
- *system_lin-va-terminal
- path_regex: secrets/common/llama-swap.yaml
key_groups:
- age:
- *admin_reichard
- *system_lin-va-desktop
- *user_lin-va-mbp-personal
- *user_lin-va-mbp-work-vm
- *user_lin-va-terminal
- *user_lin-va-thinkpad
- *user_mac-va-mbp-personal
- *user_mac-va-mbp-work
- path_regex: secrets/common/evanreichard.yaml
key_groups:
- age:

35
modules/home/programs/terminal/pi/default.nix
View File

@@ -2,6 +2,7 @@
, pkgs
, config
, namespace
, osConfig
, ...
}:
let
@@ -35,18 +36,7 @@ in
# Define Pi Configuration
home.file = {
".pi/agent/models.json" = {
text = builtins.toJSON {
providers = {
"llama-swap" = {
baseUrl = "https://llm-api.va.reichard.io/v1";
api = "openai-completions";
apiKey = "none";
models = helpers.toPiModels llamaSwapConfig;
};
};
};
};
".pi/agent/AGENTS.md" = {
source = ./config/AGENTS.md;
};
@@ -64,6 +54,27 @@ in
};
};
# Pi Models Config - Inject llama-swap API key from sops into models.json
# so pi can authenticate against the llm-api endpoint.
sops = lib.mkIf osConfig.${namespace}.security.sops.enable {
secrets."llama_swap_api_keys/pi" = {
sopsFile = lib.snowfall.fs.get-file "secrets/common/llama-swap.yaml";
};
templates."pi-models.json" = {
path = "${config.home.homeDirectory}/.pi/agent/models.json";
content = builtins.toJSON {
providers = {
"llama-swap" = {
baseUrl = "https://llm-api.va.reichard.io/v1";
api = "openai-completions";
apiKey = config.sops.placeholder."llama_swap_api_keys/pi";
models = helpers.toPiModels llamaSwapConfig;
};
};
};
};
};
# Merge Nix-Defined Plugins Into Mutable settings.json - We can't symlink
# this file into the nix store because pi rewrites it at runtime (e.g. to
# persist the last-used model). Instead, on every activation we use jq to

19
modules/nixos/services/llama-swap/default.nix
View File

@@ -88,19 +88,22 @@ in
# Create Config
sops = {
secrets.synthetic_apikey = {
sopsFile = lib.snowfall.fs.get-file "secrets/common/systems.yaml";
secrets = {
"llama_swap_api_keys/pi" = {
sopsFile = lib.snowfall.fs.get-file "secrets/common/llama-swap.yaml";
};
};
templates."llama-swap.json" = {
owner = "llama-swap";
group = "llama-swap";
mode = "0400";
content = builtins.toJSON cfg.config;
# content = builtins.toJSON (
# recursiveUpdate cfg.config {
# peers.synthetic.apiKey = config.sops.placeholder.synthetic_apikey;
# }
# );
content = builtins.toJSON (
recursiveUpdate cfg.config {
apiKeys = [
config.sops.placeholder."llama_swap_api_keys/pi"
];
}
);
};
};

81
secrets/common/llama-swap.yaml Normal file
View File

@@ -0,0 +1,81 @@
#ENC[AES256_GCM,data:GdmmcWLHlE3LJvl9VfzbuEgZyGGqlKcrtNa+78/FFKO5coPf0n27eKwfo6UGuhf3ln++ePv37Eg=,iv:M+DWl7AZeQXJ0z4l6LHJBYrI/jW5NFY6b2tW9QnL9jM=,tag:fdy4feWIvKPCHbAcNZ6mmQ==,type:comment]
llama_swap_api_keys:
pi: ENC[AES256_GCM,data:7Cw7RPQemcf5/zO7uazjA+dzpQu2MQo/Nbe3K3/CJ+OeQR90SJx4Z0TZudFugZoIHWR+sPEGQxUk8ne5xcfY6GSHJA==,iv:B5fX93BtSNwIDUdWTXr3ZhBQ4AuUqDHjeeVbkcCk7HI=,tag:6RMyFEF5872waHzxUCUh0Q==,type:str]
sops:
age:
- recipient: age1sac93wpnjcv62s7583jv6a4yspndh6k0r25g3qx3k7gq748uvafst6nz4w
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmZm9hY3BOa1Fmd1A0cGlz
Z0JWQ0Z4UnZGdUN0Q0JYLzBzczdsNi95d2tZCndYM2pLdENZTW53YmZUMy9GMUx3
TzIraGY0NTM0bmtUWWd3MXhPWGNDNVUKLS0tIFd4SlMrdWxLeDd6K2ZVM2hPai9q
djVIQldUaU96Vk9xUWptR3RxV3o4dEUKY4ti95K2052gWXpTJo4zw82pYSPhY53D
tKeeTBrfBs1PQ8bAYJ63exWam5HOz+fp0qu5HqO3reNairkgcH3Mhg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mxjrvjxkn69kfn2np3wpd73g44fuhsgykw7l5ss9rx30em5jfp2scnrq32
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1b0JTTUtoTDJRdGNHaHJj
SUNieDhhRUM3VkQzelV1ZDZTSVZqNy9oVjFnCjllWWFhcVprZ3BzamFEMmZXNzVo
NzdrVC9lcXpkYWpuR2lWdmtHQmx2UzgKLS0tIEtGTGI4M2RNNFRSSFRyaWRNNDhS
K2lsb3ZrYjB4RzRLTWpEVVpsQkoyQ0EK2nxzVyMoPI7P269oUVPUQfFbZIPPwjJy
IP9s6BvX8dkEssk2QDhqAKhugEHQ9czzutqcg9ZzepyrfIZde6bbYA==
-----END AGE ENCRYPTED FILE-----
- recipient: age17ayje4uv2mhwehhp9jr3u9l0ds07396kt7ef40sufx89vm7cgfjq6d5d4y
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTRVdtRnBXbFdKemtZclZ2
R3RDc2NOeDFLU0NuT2pRM1pDaDFGbDd0d2p3CkZkL0lYdlhhWE5iS2hNN2hoelc1
NXN4U1M5azk1ZHA4cEtNUnA5ZWhNaEEKLS0tIGdobWlDTnY4SzIwZDNWSTc0UjR4
NEJrT3JScC9XV2RoRW8xTEhwR01RaDgKuGGUk0GTJiBH/9r9EImZqhVoc8czS+qb
mdUQTzHt9c19R1a6BU99owQqPUShuoZh+4TR9ntEejODmo/wLDQUsw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mar507c9mxmwalg486chs5kfh0mya38rv5w64ypfwnwlawewrpnswerpg8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFMHRrekI4ZWZvS0ZkOVFx
OHl1aFhNWTQ2US8waVRET3NjMXpWQXJtRGprCldyMXdNMnF0S1RaV2FoL1M3cVpz
bmVNaWNSRHJKa0xrUTJJdndtUTB6YTgKLS0tIHFDWEd0VGxzT1I3cnhJV2VHaDlN
M050QzkyQVIwa2sxc0h1TktxMDdlY28KWfobSicg0Z85yN7JZfKPiysHL8UvVucj
M27JLgbuvRw+tRKtuPdurfiSXQnHBXl1KKp7/HFeRWYYIf1CbjleXg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w6avj7gd4f5frk90lsyh4e2k5am6z92hzlr0vpgrm767muyj59qsnuah62
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtMjRzS3ZQWkJEZXkrWmJ6
Zi84OWhFYnVuQWJLaFN1OS9uUW9GVTdtTjBvClVpZkYvc0tKTmxjbnR0eXpzeFZF
UDNnU3ZLQ0R1Nm4wS3ZoQm1pUCtuelkKLS0tIGlpbEtLNFpPU21SWWhhWEpxMUJO
elV3Z1RuM2RNemtEN1dTejNZWVZWTDAKP8DLC1+yoIWeVFa/m9ZE9VWi5kfU6NS9
918BrKOp3+Fzxf2/L+u3txmyDDKjAkax2ngNtcSCrF9FcW4oQMjOMQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1avlhszrryt4gf4ya536jhzm7qwt9xfttm8x4sns6h9w2tahzqp8sspz9y5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPcXpOb05mTWhHYUJQSXB6
Zzh6QWNyRUgvcVhtNU4zclBnVHo2Y3czZFFRCklkWmlWaXRWZHhvME5XcTBDTTVM
clQxZW0xWFl0UFlvOEtSdjVLc0VzYlUKLS0tIEpIQU9uRkJ6MHdSWU0vc0V5R3Vj
bDE3SS91Mk5LdHd4QnhQS0xXS0c3MWMKQJ+dKG5TFo/K0Ds2Tuf4xpKUmJS+bri1
HnXCB5MTyLO8OrTsT8eiiBsNWjOyny7f8SHI2gGpQpvOjsh9IsmzjA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dccte7xtwswgef089nd80dutp96xnezx5lrqnneh9cusegsnda8sj3dj6c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UkdSRnFnRjlTOGFGc05S
SWNXQnNHL1VUSE8xS0RFN1FLcEpOcnl0VHdVCkpOTFZVYW5Wb3RLc2NMWnZLSkRI
QTRWQ2l1WUt0SXZWWVdzN2IxSEtzNEUKLS0tIHhZc056Z3pCL2lvQmQ0dWxZV21Q
RnR2UVVCSkMvRllzcVU4bmpndmpWNncKd6tk1HLfofPc714enTIiLGgQyQoEgnUH
PQSx9ipnMAnl4N0lVogn6P79xs37q3+DRPLoZi0XUeSpQnqLgBdQ7A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ped3hpugq06908ex8kgama33qckqe03rmac5pa6th87vks5d249qhshvqu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMZm5hUkJBKzNTK3pydHRM
eTE5YVY5SjluUEh0U2o1amFoNG0yQkpld0Q4CjBxNllmL3BublZUdzF0bWdQbmxn
ZiszY3l0L2RMb1gvbTFWU2V6MHE1SVkKLS0tIENBdmRxc24wMFF6akNRQjRBSXUw
SmpMYnNBTWVYTENWSUQvWXMrZXVqbncK6KtP4pOEBDM8gK26uYp3a/WRP4TrkyWV
4ugL2Y7sGkVrWz0Cvr3Jp9QDuPh3xs4jZyEvB8RbxQDMFJzdOEBv2A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-05-02T02:07:49Z"
mac: ENC[AES256_GCM,data:EroMrSyIJnQEP7Koo+195xmkloWDRQ21WuM0L+bTXzOLT1aQrUa15dxpYbQ+XUUVxtRfFHKSSXkyAG3UR/Ez7qhhxysQwL8ijUK7O+l7yn8EB3FbkQrYUIVASP6HzYe7XMd5Z+Zz/D6n172TxANLmaUxouYd4mlwcZzHSffP0AA=,iv:x5LKYpLb/Rkq6erH0wHCyZxbA7fr1NpW2JWCe3y2fnw=,tag:+ITvd9XqR5Pc1nj8snb2yA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.1