Skip to content

Secret management: Claude API keys, GitLab SSH keys, PATs

Summary

The agent-roster module provisions NixOS users and generates PROMPT.md files, but does not yet handle secrets needed for agents to operate autonomously.

Requirements

  1. Claude API keys — each agent needs an ANTHROPIC_API_KEY to authenticate with Claude. Options:

    • Shared key injected via sops-nix or agenix into each agent's environment
    • Per-agent keys for usage tracking per role

  2. GitLab SSH keys — each agent needs an SSH keypair for git operations. The module should:

    • Generate or accept SSH keypairs per agent
    • Manage private keys via sops-nix or agenix

  3. GitLab access tokens (PATs) — each agent needs a personal access token for API access (glab CLI). Options:

    • Pre-provisioned tokens stored as secrets
    • Auto-generated via GitLab API on first boot (requires bootstrap credentials)

Design Considerations

  • Secrets should never be in the Nix store (use runtime injection)
  • Consider sops-nix as the primary secrets backend (already used in horizon infrastructure)
  • accessLevel from agent definition should map to GitLab permissions when provisioning

Acceptance Criteria

  • Secrets backend chosen and documented
  • Claude API key injection implemented
  • SSH key management implemented
  • GitLab PAT management implemented
  • Integration tested on earthrealm