bake clawdinator secrets into AMI build

Author: joshp123

.github/workflows/image-build.yml

@@ -34,6 +34,23 @@ jobs:
           printf '%s' "${CLAWDINATOR_AGE_KEY}" > nix/keys/clawdinator.agekey
           chmod 600 nix/keys/clawdinator.agekey
 
+      - name: Fetch age secrets
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
+          S3_BUCKET: ${{ secrets.S3_BUCKET }}
+        run: |
+          mkdir -p nix/age-secrets
+          aws s3 sync "s3://${S3_BUCKET}/age-secrets" nix/age-secrets
+          for file in \
+            nix/age-secrets/clawdinator-github-app.pem.age \
+            nix/age-secrets/clawdinator-discord-token.age \
+            nix/age-secrets/clawdinator-anthropic-api-key.age
+          do
+            test -f "$file"
+          done
+
       - name: Build image
         run: scripts/build-image.sh
 

.gitignore

@@ -16,6 +16,7 @@ infra/opentofu/aws/*.auto.tfvars
 # Secrets
 *.env
 nix/keys/*.agekey
+nix/age-secrets/
 
 # Nix build outputs
 result

nix/hosts/clawdinator-1-common.nix

@@ -0,0 +1,140 @@
+{ lib, config, ... }:
+let
+  secretsPath = config.clawdinator.secretsPath;
+in
+{
+  options.clawdinator.secretsPath = lib.mkOption {
+    type = lib.types.str;
+    description = "Path to encrypted age secrets for CLAWDINATOR.";
+  };
+
+  config = {
+    age.identityPaths = [ "/etc/agenix/keys/clawdinator.agekey" ];
+    age.secrets."clawdinator-github-app.pem" = {
+      file = "${secretsPath}/clawdinator-github-app.pem.age";
+      owner = "clawdinator";
+      group = "clawdinator";
+    };
+    age.secrets."clawdinator-anthropic-api-key" = {
+      file = "${secretsPath}/clawdinator-anthropic-api-key.age";
+      owner = "clawdinator";
+      group = "clawdinator";
+    };
+    age.secrets."clawdinator-discord-token" = {
+      file = "${secretsPath}/clawdinator-discord-token.age";
+      owner = "clawdinator";
+      group = "clawdinator";
+    };
+
+    services.clawdinator = {
+      enable = true;
+      instanceName = "CLAWDINATOR-1";
+      memoryDir = "/memory";
+      memoryEfs = {
+        enable = true;
+        fileSystemId = "fs-0e7920726c2965a88";
+        region = "eu-central-1";
+        mountPoint = "/memory";
+      };
+      repoSeeds = [
+        {
+          name = "clawdbot";
+          url = "https://github.com/clawdbot/clawdbot.git";
+        }
+        {
+          name = "nix-clawdbot";
+          url = "https://github.com/clawdbot/nix-clawdbot.git";
+        }
+        {
+          name = "clawdinators";
+          url = "https://github.com/clawdbot/clawdinators.git";
+        }
+        {
+          name = "clawdhub";
+          url = "https://github.com/clawdbot/clawdhub.git";
+        }
+        {
+          name = "nix-steipete-tools";
+          url = "https://github.com/clawdbot/nix-steipete-tools.git";
+        }
+      ];
+
+      config = {
+        gateway.mode = "local";
+        agent.workspace = "/var/lib/clawd/workspace";
+        agent.maxConcurrent = 4;
+        agent.skipBootstrap = true;
+        logging = {
+          level = "info";
+          file = "/var/lib/clawd/logs/clawdbot.log";
+        };
+        session.sendPolicy = {
+          default = "allow";
+          rules = [
+            {
+              action = "deny";
+              match.keyPrefix = "agent:main:discord:channel:1458138963067011176";
+            }
+            {
+              action = "deny";
+              match.keyPrefix = "agent:main:discord:channel:1458141495701012561";
+            }
+          ];
+        };
+        routing.queue = {
+          mode = "interrupt";
+          bySurface = {
+            discord = "queue";
+            telegram = "interrupt";
+            whatsapp = "interrupt";
+            webchat = "queue";
+          };
+        };
+        identity.name = "CLAWDINATOR-1";
+        skills.allowBundled = [ "github" "clawdhub" ];
+        discord = {
+          enabled = true;
+          dm.enabled = false;
+          guilds = {
+            "1456350064065904867" = {
+              requireMention = false;
+              channels = {
+                # #clawdinators-test
+                "1458426982579830908" = {
+                  allow = true;
+                  requireMention = false;
+                  autoReply = true;
+                };
+                # #clawdributors-test (lurk only; replies denied via sendPolicy)
+                "1458138963067011176" = {
+                  allow = true;
+                  requireMention = false;
+                };
+                # #clawdributors (lurk only; replies denied via sendPolicy)
+                "1458141495701012561" = {
+                  allow = true;
+                  requireMention = false;
+                };
+              };
+            };
+          };
+        };
+      };
+
+      anthropicApiKeyFile = "/run/agenix/clawdinator-anthropic-api-key";
+      discordTokenFile = "/run/agenix/clawdinator-discord-token";
+
+      githubApp = {
+        enable = true;
+        appId = "2607181";
+        installationId = "102951645";
+        privateKeyFile = "/run/agenix/clawdinator-github-app.pem";
+        schedule = "hourly";
+      };
+
+      selfUpdate.enable = true;
+      selfUpdate.flakePath = "/var/lib/clawd/repo";
+      selfUpdate.flakeHost = "clawdinator-1";
+    };
+  };
+}

nix/hosts/clawdinator-1-image.nix

@@ -3,6 +3,8 @@
   imports = [
     (modulesPath + "/virtualisation/ec2-data.nix")
     (modulesPath + "/virtualisation/amazon-init.nix")
+    ../modules/clawdinator.nix
+    ./clawdinator-1-common.nix
   ];
 
   networking.hostName = "clawdinator-1";
@@ -27,4 +29,6 @@
   users.users.root.openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOLItFT3SVm5r7gELrfRRJxh6V2sf/BIx7HKXt6oVWpB"
   ];
+
+  clawdinator.secretsPath = ../age-secrets;
 }

nix/hosts/clawdinator-1.nix

@@ -3,6 +3,7 @@
   imports = [
     (modulesPath + "/virtualisation/amazon-image.nix")
     ../modules/clawdinator.nix
+    ./clawdinator-1-common.nix
   ];
 
   networking.hostName = "clawdinator-1";
@@ -20,131 +21,5 @@
 
   networking.firewall.allowedTCPPorts = [ 22 18789 ];
 
-  age.identityPaths = [ "/etc/agenix/keys/clawdinator.agekey" ];
-  age.secrets."clawdinator-github-app.pem" = {
-    file = "/var/lib/clawd/nix-secrets/clawdinator-github-app.pem.age";
-    owner = "clawdinator";
-    group = "clawdinator";
-  };
-  age.secrets."clawdinator-anthropic-api-key" = {
-    file = "/var/lib/clawd/nix-secrets/clawdinator-anthropic-api-key.age";
-    owner = "clawdinator";
-    group = "clawdinator";
-  };
-  age.secrets."clawdinator-discord-token" = {
-    file = "/var/lib/clawd/nix-secrets/clawdinator-discord-token.age";
-    owner = "clawdinator";
-    group = "clawdinator";
-  };
-
-  services.clawdinator = {
-    enable = true;
-    instanceName = "CLAWDINATOR-1";
-    memoryDir = "/memory";
-    memoryEfs = {
-      enable = true;
-      fileSystemId = "fs-0e7920726c2965a88";
-      region = "eu-central-1";
-      mountPoint = "/memory";
-    };
-    repoSeeds = [
-      {
-        name = "clawdbot";
-        url = "https://github.com/clawdbot/clawdbot.git";
-      }
-      {
-        name = "nix-clawdbot";
-        url = "https://github.com/clawdbot/nix-clawdbot.git";
-      }
-      {
-        name = "clawdinators";
-        url = "https://github.com/clawdbot/clawdinators.git";
-      }
-      {
-        name = "clawdhub";
-        url = "https://github.com/clawdbot/clawdhub.git";
-      }
-      {
-        name = "nix-steipete-tools";
-        url = "https://github.com/clawdbot/nix-steipete-tools.git";
-      }
-    ];
-
-    config = {
-      gateway.mode = "local";
-      agent.workspace = "/var/lib/clawd/workspace";
-      agent.maxConcurrent = 4;
-      agent.skipBootstrap = true;
-      logging = {
-        level = "info";
-        file = "/var/lib/clawd/logs/clawdbot.log";
-      };
-      session.sendPolicy = {
-        default = "allow";
-        rules = [
-          {
-            action = "deny";
-            match.keyPrefix = "agent:main:discord:channel:1458138963067011176";
-          }
-          {
-            action = "deny";
-            match.keyPrefix = "agent:main:discord:channel:1458141495701012561";
-          }
-        ];
-      };
-      routing.queue = {
-        mode = "interrupt";
-        bySurface = {
-          discord = "queue";
-          telegram = "interrupt";
-          whatsapp = "interrupt";
-          webchat = "queue";
-        };
-      };
-      identity.name = "CLAWDINATOR-1";
-      skills.allowBundled = [ "github" "clawdhub" ];
-      discord = {
-        enabled = true;
-        dm.enabled = false;
-        guilds = {
-          "1456350064065904867" = {
-            requireMention = false;
-            channels = {
-              # #clawdinators-test
-              "1458426982579830908" = {
-                allow = true;
-                requireMention = false;
-                autoReply = true;
-              };
-              # #clawdributors-test (lurk only; replies denied via sendPolicy)
-              "1458138963067011176" = {
-                allow = true;
-                requireMention = false;
-              };
-              # #clawdributors (lurk only; replies denied via sendPolicy)
-              "1458141495701012561" = {
-                allow = true;
-                requireMention = false;
-              };
-            };
-          };
-        };
-      };
-    };
-
-    anthropicApiKeyFile = "/run/agenix/clawdinator-anthropic-api-key";
-    discordTokenFile = "/run/agenix/clawdinator-discord-token";
-
-    githubApp = {
-      enable = true;
-      appId = "2607181";
-      installationId = "102951645";
-      privateKeyFile = "/run/agenix/clawdinator-github-app.pem";
-      schedule = "hourly";
-    };
-
-    selfUpdate.enable = true;
-    selfUpdate.flakePath = "/var/lib/clawd/repo";
-    selfUpdate.flakeHost = "clawdinator-1";
-  };
+  clawdinator.secretsPath = "/var/lib/clawd/nix-secrets";
 }