better secrets handling no need for env var

2025-03-05 21:24:35 +00:00 · 2025-03-05 21:24:35 +00:00 · 5e2c22d314
commit 5e2c22d314
parent 7b1ca01cf1
3 changed files with 10 additions and 13 deletions
--- a/home/deepak/home.nix
+++ b/home/deepak/home.nix
@ -125,7 +125,7 @@ in
 			# syntax highlighting
 			vim-just
 		];
-		extraConfig = import ./neovim/init-vim.nix;
+		extraConfig = import ./neovim/init-vim.nix { inherit config; };
 	};

 	programs.thefuck.enable = true;
@ -174,6 +174,7 @@ in
 		];
 		initExtra = ''
 			eval "$(${pkgs.direnv}/bin/direnv hook zsh)"
+			export ANTHROPIC_API_KEY=$(cat ${config.sops.secrets.anthropic_api_key.path})
 		'';
 	};
 	
@ -182,13 +183,9 @@ in
 		# It's also possible to use a ssh key, but only when it has no password:
 		#age.sshKeyPaths = [ "/home/user/path-to-ssh-key" ];
 		defaultSopsFile = ./secrets.yaml;
-		secrets.test = {
-			# sopsFile = ./secrets.yml.enc; # optionally define per-secret files
-
-			# %r gets replaced with a runtime directory, use %% to specify a '%'
-			# sign. Runtime dir is $XDG_RUNTIME_DIR on linux and $(getconf
-			# DARWIN_USER_TEMP_DIR) on darwin.
-			path = "%r/test.txt"; 
+		secrets = {
+			anthropic_api_key = {
+			};
 		};
 	};

--- a/home/deepak/neovim/init-vim.nix
+++ b/home/deepak/neovim/init-vim.nix
@ -1,3 +1,4 @@
+{ config }:
 ''
 inoremap jj <Esc>
 inoremap kk <Esc>
@ -61,9 +62,8 @@ vim.api.nvim_set_keymap('n', '<leader>or', '<cmd>OverseerRun<CR>', { noremap = t
 require("parrot").setup({
 	providers = {
 		anthropic = {
-			api_key = os.getenv "ANTHROPIC_API_KEY",
+			api_key = { "cat", "${ config.sops.secrets.anthropic_api_key.path }" },
 		},
-		ollama = {},
 	},
 })

--- a/home/deepak/secrets.yaml
+++ b/home/deepak/secrets.yaml
@ -1,6 +1,6 @@
 hello: ENC[AES256_GCM,data:mdwrgkzAvxazg319XbXnHTMUOJLO5ybx7iK0HfRHn0tYj+5q8EQB7XxQThF7Xw==,iv:XJIl2Idal+O61ONAKCaCGaGvB7mwyBMtd2+THsaeqdg=,tag:/vN0rkCNMPe62uMxwMg75Q==,type:str]
 #ENC[AES256_GCM,data:XQeqeSMpzA/awNfbiWdq0GhfreE+0a5t1dmd5Ic=,iv:Tv0uGl9LtoF+F5o2HBGMnPCU05eHmekSn51HNxzlRWw=,tag:fQdevcwTK0oI3EzRZik0XA==,type:comment]
-anthropic_key: ENC[AES256_GCM,data:tcuddpeu3PKPXrf8EgmSfjd12d7ptLok/DlumQC/oIzTGG7sYsvxseZrDElsYT4AGmkWPNVVhac+3PmKfGFL4rV16u+6G+weMgTCYsDHyg0KaWM5a01MB3GMf2HyA65RYUxaRW4kP+6UlOXO,iv:dyD6lxxLa99HP9NXf/ewZu1h6Sm6KBYPJqwM3l6SX88=,tag:23+3ad8o67Niyil9M+B4ag==,type:str]
+anthropic_api_key: ENC[AES256_GCM,data:SgDnPjIGmoB7YAqSYMD8jmeGlK0mvZokHQ4bt1dT6zF/cX31fW7V+oRovPowFxgYfz8xXMHbNquUU7TlUebKFRVMeNhbnJmosLoUQj8JnxFZnKWRk4OwE4w/oTIdjjWh5OSo/GsDprm+XcMF,iv:/GVhGWpUqe6NF2ZpdNb7qTbrXcZr7pj219xkAv3AnQM=,tag:W9yZpFCsEyIYhUuvoJuBtw==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -16,8 +16,8 @@ sops:
            OENPOXBEZ3ZrU1k1bGk2Tko0VzcyME0Kc+d+9WO9Yv7wbg56cnGyklaeoQTfKqYr
            7sycCyJFzlihyfiPxkHzGFkAudmakuwKo4cj+L4V7pDLta1leA4X+w==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-05T20:08:03Z"
-    mac: ENC[AES256_GCM,data:he/4cI1SH0uloLOWd7Qi4wtrOrFQKE3xy6doDg0Uv0mp7ViScYiYbIq8r1bM/zH0X8aTKyYj9O75b+rm+vS3Q8sG8PFj6vHvF4bwduO1jobNnLnUjJDgpSmpLneGAPJyyV2UBFXRCQOJ0anshmNCD0bFPyV9SnSaf5NgBdBpkeI=,iv:7PmJ6zuY+tMzectAuDp6uCUpxbDp0CWqCCQzpq2evjY=,tag:OIwFQ96feI75ld9feB25Og==,type:str]
+    lastmodified: "2025-03-05T21:03:16Z"
+    mac: ENC[AES256_GCM,data:M1BQIakQtcK3OHrsLQ/SadQeVl9soVbAd4XRCdTp+/way3v3CPo3JqElybRiG7xAEifULmQXOUkw84u4mv+QM4YmvP94zcugiSLJ/FA6mcRvC8GlmjhNbtriLgTedB6GoZ23j1jdA9L9V8AnNYNLroXMVrMwkSwAd7HBYec0QHI=,iv:b1u+9P1QrP9UVP3woTeWDzH+cS83Pt8YSg7fScQjEp4=,tag:GNRfzG9a+U3J/ZKr7iqigQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1