feat: add apiKeys lib for direnv/sops single source of truth

- apiKeys: list of API key names (openai, google, anthropic, openrouter) - mkDirenvStdlib: generates use_api_keys() bash function - mkSopsSecrets: generates sops-nix secrets attribute set Consumers (ops-dev, dotfiles) can now import from skills.lib instead of maintaining duplicate key lists.
2025-12-04 20:45:48 -08:00 · 2025-12-04 20:45:48 -08:00 · 67f6d69cc7
parent def212bc5b
commit 67f6d69cc7
1 changed files with 38 additions and 2 deletions
--- a/flake.nix
+++ b/flake.nix
@ -96,12 +96,48 @@
      # Export skills paths for direct use
      lib = {
        inherit availableSkills;
-        
+
        # Helper to get skill path
        getSkillPath = skillName: ./skills/${skillName};
-        
+
        # Helper to get all skill paths
        getAllSkillPaths = map (name: ./skills/${name}) availableSkills;
+
+        # API Keys - Single Source of Truth
+        # Used by both direnv stdlib and sops-nix configuration
+        apiKeys = [ "openai" "google" "anthropic" "openrouter" ];
+
+        # Generate direnv stdlib use_api_keys function
+        mkDirenvStdlib = keys:
+          let
+            toEnvVar = key: {
+              "openai" = "OPENAI_API_KEY";
+              "google" = "GEMINI_API_KEY";
+              "anthropic" = "ANTHROPIC_API_KEY";
+              "openrouter" = "OPENROUTER_API_KEY";
+            }.${key} or (builtins.throw "Unknown API key: ${key}");
+
+            # Google key exports both GEMINI_API_KEY and GOOGLE_API_KEY
+            mkExport = key:
+              if key == "google" then ''
+              [ -f /run/secrets/api_keys/${key} ] && export ${toEnvVar key}="$(cat /run/secrets/api_keys/${key})" && export GOOGLE_API_KEY="$GEMINI_API_KEY"''
+              else ''
+              [ -f /run/secrets/api_keys/${key} ] && export ${toEnvVar key}="$(cat /run/secrets/api_keys/${key})"'';
+          in ''
+            use_api_keys() {
+              ${builtins.concatStringsSep "\n  " (map mkExport keys)}
+            }
+          '';
+
+        # Generate sops-nix secrets attribute set
+        mkSopsSecrets = { keys, owner, group ? "users" }:
+          builtins.listToAttrs (map (key: {
+            name = "api_keys/${key}";
+            value = {
+              mode = "0600";
+              inherit owner group;
+            };
+          }) keys);
      };
    };
 }