Skip to content

feat: add generic secretEnv option for provider API keys #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
andreabadesso wants to merge 1 commit into
base: main
Choose a base branch
from
+47 −2
Open

feat: add generic secretEnv option for provider API keys #13

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 47 additions & 2 deletions nix/modules/home-manager/clawdbot.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -187,10 +187,24 @@ let
apiKeyFile = lib.mkOption {
type = lib.types.str;
default = "";
description = "Path to Anthropic API key file (used to set ANTHROPIC_API_KEY).";
description = "Path to Anthropic API key file (used to set ANTHROPIC_API_KEY). Deprecated: use secretEnv instead.";
};
};

secretEnv = lib.mkOption {
type = lib.types.attrsOf lib.types.str;
default = cfg.secretEnv;
example = {
ANTHROPIC_API_KEY = "/run/secrets/anthropic_key";
ZAI_API_KEY = "/run/secrets/zai_key";
};
description = ''
Environment variables to set from secret files.
Keys are env var names, values are paths to files containing the secret.
The file contents will be read at runtime and exported as env vars.
'';
};

agent = {
model = lib.mkOption {
type = lib.types.str;
Expand Down Expand Up @@ -743,6 +757,7 @@ let

${lib.concatStringsSep "\n" (map (entry: "export ${entry.key}=\"${entry.value}\"") pluginEnvAll)}

# Legacy: providers.anthropic.apiKeyFile (deprecated, use secretEnv)
if [ -n "${inst.providers.anthropic.apiKeyFile}" ]; then
if [ ! -f "${inst.providers.anthropic.apiKeyFile}" ]; then
echo "Anthropic API key file not found: ${inst.providers.anthropic.apiKeyFile}" >&2
Expand All @@ -756,6 +771,22 @@ let
export ANTHROPIC_API_KEY
fi

# secretEnv: export env vars from secret files
${lib.concatStringsSep "\n" (lib.mapAttrsToList (envVar: filePath: ''
if [ -n "${filePath}" ]; then
if [ ! -f "${filePath}" ]; then
echo "Secret file not found for ${envVar}: ${filePath}" >&2
exit 1
fi
${envVar}="$(cat "${filePath}")"
if [ -z "''$${envVar}" ]; then
echo "Secret file is empty for ${envVar}: ${filePath}" >&2
exit 1
fi
export ${envVar}
fi
'') inst.secretEnv)}

exec "${gatewayPackage}/bin/clawdbot" "$@"
'';
in {
Expand Down Expand Up @@ -1072,10 +1103,24 @@ in {
apiKeyFile = lib.mkOption {
type = lib.types.str;
default = "";
description = "Path to Anthropic API key file (used to set ANTHROPIC_API_KEY).";
description = "Path to Anthropic API key file (used to set ANTHROPIC_API_KEY). Deprecated: use secretEnv instead.";
};
};

secretEnv = lib.mkOption {
type = lib.types.attrsOf lib.types.str;
default = {};
example = {
ANTHROPIC_API_KEY = "/run/secrets/anthropic_key";
ZAI_API_KEY = "/run/secrets/zai_key";
};
description = ''
Environment variables to set from secret files.
Keys are env var names, values are paths to files containing the secret.
The file contents will be read at runtime and exported as env vars.
'';
};

routing.queue = {
mode = lib.mkOption {
type = lib.types.enum [ "queue" "interrupt" ];
Expand Down