Add OpenAI key wiring for clawdinator

Author: joshp123

.github/workflows/image-build.yml

@@ -63,7 +63,8 @@ jobs:
           for file in \
             nix/age-secrets/clawdinator-github-app.pem.age \
             nix/age-secrets/clawdinator-discord-token.age \
-            nix/age-secrets/clawdinator-anthropic-api-key.age
+            nix/age-secrets/clawdinator-anthropic-api-key.age \
+            nix/age-secrets/clawdinator-openai-api-key.age
           do
             test -f "$file"
           done

README.md

@@ -77,6 +77,7 @@ Secrets (required):
 - Discord bot token (per instance).
 - Discord bot tokens are explicit files via agenix.
 - Anthropic API key (Claude models).
+- OpenAI API key (OpenAI models).
 - AWS credentials (image pipeline + infra).
 - Agenix image key (baked into AMI via CI).
 

docs/SECRETS.md

@@ -18,10 +18,12 @@ Runtime (CLAWDINATOR):
 - Discord bot token (required, per instance).
 - GitHub token (required): GitHub App installation token (preferred) or a read-only PAT.
 - Anthropic API key (required for Claude models).
+- OpenAI API key (required for OpenAI models).
 
 Explicit token files (standard):
 - `services.clawdinator.discordTokenFile`
 - `services.clawdinator.anthropicApiKeyFile`
+- `services.clawdinator.openaiApiKeyFile`
 - `services.clawdinator.githubPatFile` (PAT path, if not using GitHub App; exports `GITHUB_TOKEN` + `GH_TOKEN`)
 
 GitHub App (preferred):
@@ -35,6 +37,7 @@ Agenix (local secrets repo):
 - Decrypt on host with agenix; point NixOS options at `/run/agenix/*`.
 - Image builds bake the agenix identity to `/etc/agenix/keys/clawdinator.agekey`; do not commit this key.
 - Required files (minimum): `clawdinator-github-app.pem.age`, `clawdinator-discord-token.age`, `clawdinator-anthropic-api-key.age`.
+- Also required for OpenAI: `clawdinator-openai-api-key.age`.
 - CI image pipeline (stored locally, not on hosts): `clawdinator-image-uploader-access-key-id.age`, `clawdinator-image-uploader-secret-access-key.age`, `clawdinator-image-bucket-name.age`, `clawdinator-image-bucket-region.age`.
 
 Example NixOS wiring (agenix):
@@ -47,13 +50,17 @@ Example NixOS wiring (agenix):
     "/var/lib/clawd/nix-secrets/clawdinator-github-app.pem.age";
   age.secrets."clawdinator-anthropic-api-key".file =
     "/var/lib/clawd/nix-secrets/clawdinator-anthropic-api-key.age";
+  age.secrets."clawdinator-openai-api-key".file =
+    "/var/lib/clawd/nix-secrets/clawdinator-openai-api-key.age";
   age.secrets."clawdinator-discord-token".file =
     "/var/lib/clawd/nix-secrets/clawdinator-discord-token.age";
 
   services.clawdinator.githubApp.privateKeyFile =
     "/run/agenix/clawdinator-github-app.pem";
   services.clawdinator.anthropicApiKeyFile =
     "/run/agenix/clawdinator-anthropic-api-key";
+  services.clawdinator.openaiApiKeyFile =
+    "/run/agenix/clawdinator-openai-api-key";
   services.clawdinator.discordTokenFile =
     "/run/agenix/clawdinator-discord-token";
 }

nix/examples/clawdinator-host.nix

@@ -4,6 +4,8 @@
     "/var/lib/clawd/nix-secrets/clawdinator-github-app.pem.age";
   age.secrets."clawdinator-anthropic-api-key".file =
     "/var/lib/clawd/nix-secrets/clawdinator-anthropic-api-key.age";
+  age.secrets."clawdinator-openai-api-key".file =
+    "/var/lib/clawd/nix-secrets/clawdinator-openai-api-key.age";
   age.secrets."clawdinator-discord-token".file =
     "/var/lib/clawd/nix-secrets/clawdinator-discord-token.age";
 
@@ -47,6 +49,7 @@
     };
 
     anthropicApiKeyFile = "/run/agenix/clawdinator-anthropic-api-key";
+    openaiApiKeyFile = "/run/agenix/clawdinator-openai-api-key";
     discordTokenFile = "/run/agenix/clawdinator-discord-token";
 
     githubApp = {

nix/hosts/clawdinator-1-common.nix

@@ -37,6 +37,11 @@ in
       owner = "clawdinator";
       group = "clawdinator";
     };
+    age.secrets."clawdinator-openai-api-key" = {
+      file = "${secretsPath}/clawdinator-openai-api-key.age";
+      owner = "clawdinator";
+      group = "clawdinator";
+    };
     age.secrets."clawdinator-discord-token" = {
       file = "${secretsPath}/clawdinator-discord-token.age";
       owner = "clawdinator";
@@ -122,6 +127,7 @@ in
       };
 
       anthropicApiKeyFile = "/run/agenix/clawdinator-anthropic-api-key";
+      openaiApiKeyFile = "/run/agenix/clawdinator-openai-api-key";
       discordTokenFile = "/run/agenix/clawdinator-discord-token";
 
       githubApp = {

nix/modules/clawdinator.nix

@@ -88,7 +88,7 @@ let
     toolchain.docs;
 
   tokenWrapper =
-    if cfg.anthropicApiKeyFile != null || cfg.discordTokenFile != null || cfg.githubPatFile != null then
+    if cfg.anthropicApiKeyFile != null || cfg.discordTokenFile != null || cfg.githubPatFile != null || cfg.openaiApiKeyFile != null then
       pkgs.writeShellScriptBin "clawdinator-gateway" ''
         set -euo pipefail
 
@@ -116,6 +116,7 @@ let
         ${lib.optionalString (cfg.anthropicApiKeyFile != null) "read_token ANTHROPIC_API_KEY \"${cfg.anthropicApiKeyFile}\""}
         ${lib.optionalString (cfg.discordTokenFile != null) "read_token DISCORD_BOT_TOKEN \"${cfg.discordTokenFile}\""}
         ${lib.optionalString (cfg.githubPatFile != null) "read_token \"GITHUB_TOKEN GH_TOKEN\" \"${cfg.githubPatFile}\""}
+        ${lib.optionalString (cfg.openaiApiKeyFile != null) "read_token \"OPENAI_API_KEY OPEN_AI_APIKEY\" \"${cfg.openaiApiKeyFile}\""}
 
         exec "${cfg.package}/bin/clawdbot" gateway --port ${toString cfg.gatewayPort}
       ''
@@ -251,6 +252,12 @@ in
       description = "Path to file containing Anthropic API key (plain text).";
     };
 
+    openaiApiKeyFile = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = "Path to file containing OpenAI API key (plain text).";
+    };
+
     discordTokenFile = mkOption {
       type = types.nullOr types.str;
       default = null;