Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Deploy OneCLI as credential proxy for yolo container (flakes-2aqm)
StatusDone
TypeFeature
Prioritynormal

Set up OneCLI (MITM proxy) on edger host to inject API keys for agents running in the yolo Incus LXC container. Agents get placeholder keys; OneCLI injects real credentials at the network layer.

Tasks

  • Create mixins/nixos/services/onecli.nix (OCI containers + seeder service)
  • Create mixins/nixos/services/secrets/onecli-secrets.txt (sops-encrypted)
  • Modify configurations/nixos/edger/imports.nix (enable onecli)
  • Modify mixins/home/ai/tools/claude-mcp-add-context7.bash (use placeholder key)
  • Modify mixins/home/host/linux/scripts/incus/incus-launch-yolo.bash (push CA cert)

context7 Rule Fix

  • Update seeder to use per-secret config (hostPattern + headerName + valuePrefix)
  • Add CONTEXT7_API_KEY entry targeting context7.com with Authorization: Bearer injection

Proxy Auth & CA Trust Fixes

  • Use agent token (aoc_ prefix) instead of user API key (oc_ prefix) for proxy auth
  • Set /etc/onecli-proxy-auth to mode 644 so non-root users can read it
  • Append OneCLI CA to existing CA bundles (handles Nix store symlinks)
  • Add fish shell proxy config via Home Manager shellInit
  • Guard onecli-seed-secrets in mise tasks for hosts without OneCLI
  • Add verbose diagnostics to onecli-check-proxy script

Summary of Changes

Fixed three root causes preventing OneCLI proxy injection in containers:

  1. Wrong API key type — gateway expects agent tokens (aoc_), not user keys (oc_)
  2. CA trust — appended OneCLI CA directly to active CA bundles instead of using security.pki (which fails at Nix build time)
  3. Fish shell — profile.d scripts aren’t sourced by fish; moved proxy var setup to Home Manager’s programs.fish.shellInit