Seed pi auth.json from agenix keys

- add pi-auth script to build auth.json at runtime - wire clawdinator-pi-auth service after agenix Tests: not run (config/script only)
2026-02-02 17:08:44 +01:00 · 2026-02-02 17:08:44 +01:00 · fbd6dc2118
commit fbd6dc2118
parent 8a1deeed09
2 changed files with 73 additions and 2 deletions
--- a/nix/modules/clawdinator.nix
+++ b/nix/modules/clawdinator.nix
@ -626,12 +626,14 @@ in
        ++ lib.optional cfg.bootstrap.enable "clawdinator-bootstrap.service"
        ++ lib.optional cfg.bootstrap.enable "clawdinator-agenix.service"
        ++ lib.optional cfg.githubApp.enable "clawdinator-github-app-token.service"
-        ++ lib.optional (cfg.repoSeedSnapshotDir != null) "clawdinator-repo-seed.service";
+        ++ lib.optional (cfg.repoSeedSnapshotDir != null) "clawdinator-repo-seed.service"
+        ++ lib.optional (cfg.openaiApiKeyFile != null && cfg.anthropicApiKeyFile != null) "clawdinator-pi-auth.service";
      wants =
        lib.optional cfg.bootstrap.enable "clawdinator-bootstrap.service"
        ++ lib.optional cfg.bootstrap.enable "clawdinator-agenix.service"
        ++ lib.optional cfg.githubApp.enable "clawdinator-github-app-token.service"
-        ++ lib.optional (cfg.repoSeedSnapshotDir != null) "clawdinator-repo-seed.service";
+        ++ lib.optional (cfg.repoSeedSnapshotDir != null) "clawdinator-repo-seed.service"
+        ++ lib.optional (cfg.openaiApiKeyFile != null && cfg.anthropicApiKeyFile != null) "clawdinator-pi-auth.service";

      environment = {
        CLAWDBOT_CONFIG_PATH = configPath;
@ -776,6 +778,26 @@ in
      script = "${githubTokenScript}";
    };

+    systemd.services.clawdinator-pi-auth = lib.mkIf (cfg.openaiApiKeyFile != null && cfg.anthropicApiKeyFile != null) {
+      description = "CLAWDINATOR Pi auth.json seed";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "clawdinator-agenix.service" ];
+      wants = [ "clawdinator-agenix.service" ];
+      serviceConfig = {
+        Type = "oneshot";
+        User = cfg.user;
+        Group = cfg.group;
+        ExecStart =
+          let
+            outputPath = "${cfg.stateDir}/.pi/agent/auth.json";
+            openaiKey = cfg.openaiApiKeyFile;
+            anthropicKey = cfg.anthropicApiKeyFile;
+          in
+          "${pkgs.bash}/bin/bash ${../../scripts/pi-auth.sh} ${lib.escapeShellArg outputPath} ${lib.escapeShellArg openaiKey} ${lib.escapeShellArg anthropicKey}";
+      };
+      path = [ pkgs.coreutils pkgs.jq ];
+    };
+
    systemd.timers.clawdinator-github-app-token = lib.mkIf cfg.githubApp.enable {
      wantedBy = [ "timers.target" ];
      timerConfig = {
--- a/scripts/pi-auth.sh
+++ b/scripts/pi-auth.sh
@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+output_path="${1:-}"
+openai_key_file="${2:-}"
+anthropic_key_file="${3:-}"
+
+if [ -z "$output_path" ] || [ -z "$openai_key_file" ] || [ -z "$anthropic_key_file" ]; then
+  echo "pi-auth: usage: pi-auth <output> <openai_key_file> <anthropic_key_file>" >&2
+  exit 1
+fi
+
+read_secret() {
+  local path="$1"
+  if [ ! -f "$path" ]; then
+    echo "pi-auth: secret not found: $path" >&2
+    exit 1
+  fi
+  local value
+  value="$(cat "$path")"
+  if [ -z "$value" ]; then
+    echo "pi-auth: secret empty: $path" >&2
+    exit 1
+  fi
+  printf '%s' "$value"
+}
+
+openai_key="$(read_secret "$openai_key_file")"
+anthropic_key="$(read_secret "$anthropic_key_file")"
+
+install -d -m 0700 "$(dirname "$output_path")"
+
+umask 077
+
+tmp_file="$(mktemp)"
+trap 'rm -f "$tmp_file"' EXIT
+
+jq -n \
+  --arg openai "$openai_key" \
+  --arg anthropic "$anthropic_key" \
+  '{
+    openai: { type: "api_key", key: $openai },
+    "openai-codex": { type: "api_key", key: $openai },
+    anthropic: { type: "api_key", key: $anthropic }
+  }' > "$tmp_file"
+
+chmod 0600 "$tmp_file"
+
+mv "$tmp_file" "$output_path"