Secret Inventory
Secret Inventory
Section titled “Secret Inventory”All secrets are defined in lib/secret-registry.nix. Machine assignments are in lib/machine-env-matrix.nix.
See Vars and Environment for how to expose these secrets as environment variables on normal machines and inside MicroVM agents.
Secret Registry
Section titled “Secret Registry”AI & LLM Keys
Section titled “AI & LLM Keys”| Secret | Env Var | Domain | Machines |
|---|---|---|---|
openrouter |
OPENROUTER_API_KEY |
ai | emily, vanessa |
anthropic |
ANTHROPIC_API_KEY |
ai | emily, vanessa |
xiaomimimo |
XIAOMIMIMO_API_KEY |
ai | emily, vanessa |
groq |
GROQ_API_KEY |
ai | emily, vanessa |
xai |
XAI_API_KEY |
ai | emily, vanessa |
elevenlabs |
ELEVENLABS_API_KEY |
ai | emily, vanessa |
fireworks |
FIREWORKS_API_KEY |
ai | emily, vanessa |
honcho-finalform |
HONCHO_FINALFORM_API_KEY |
ai | emily, vanessa |
hindsight |
HINDSIGHT_API_KEY |
ai | emily, vanessa, lea |
cohere |
COHERE_API_KEY |
ai | emily, vanessa |
zai |
ZAI_API_KEY |
ai | emily, vanessa |
Developer Tools
Section titled “Developer Tools”| Secret | Env Var | Domain | Machines |
|---|---|---|---|
opencode |
OPENCODE_API_KEY |
developer | emily, vanessa |
wakatime |
WAKATIME_API_KEY |
developer | emily, vanessa |
rxresume |
RXRESUME_API_KEY |
developer | emily |
Messaging & Bots
Section titled “Messaging & Bots”| Secret | Env Var | Domain | Machines |
|---|---|---|---|
telegram |
TELEGRAM_BOT_TOKEN |
messaging | emily, vanessa |
telegram-user-id |
TELEGRAM_USER_ID |
messaging | emily, vanessa |
picord |
PICORD_DISCORD_TOKEN |
messaging | emily |
Productivity
Section titled “Productivity”| Secret | Env Var | Domain | Machines |
|---|---|---|---|
obsidian |
OBSIDIAN_API_KEY |
productivity | emily, vanessa |
obsidian-vault |
OBSIDIAN_VAULT |
productivity | emily, vanessa |
Search & APIs
Section titled “Search & APIs”| Secret | Env Var | Domain | Machines |
|---|---|---|---|
brave |
BRAVE_API_KEY |
search | emily, vanessa |
rapidapi |
RAPIDAPI_API_KEY |
api | emily |
Cloudflare
Section titled “Cloudflare”| Secret | Env Var | Domain | Machines |
|---|---|---|---|
cloudflare-account-id |
CLOUDFLARE_ACCOUNT_ID |
cloudflare | emily, vanessa, lea |
cloudflare-api-key |
CLOUDFLARE_API_KEY |
cloudflare | emily |
Email (no env var — used by password commands)
Section titled “Email (no env var — used by password commands)”| Secret | Domain | Kind |
|---|---|---|
gmail |
password | |
icloud |
password |
Machine → Secret Distribution
Section titled “Machine → Secret Distribution”graph LR subgraph Secrets AI[AI Keys] DEV[Developer Tools] MSG[Messaging] PROD[Productivity] CF[Cloudflare] SVC[Service Tokens] end
subgraph Machines E[emily] V[vanessa] L[lea] end
AI --> E AI --> V DEV --> E DEV --> V MSG --> E MSG --> V PROD --> E PROD --> V CF --> E CF --> V CF -->|account-id only| L SVC --> E AI -->|hindsight only| LMicroVM Secret Forwarding
Section titled “MicroVM Secret Forwarding”Agent VMs on vanessa receive a subset of secrets from Clan-managed paths:
| VM Secret | Source Path |
|---|---|
OPENROUTER_API_KEY |
/var/lib/clan/var/shared/openrouter-api-key/key/secret |
ANTHROPIC_API_KEY |
/var/lib/clan/var/shared/anthropic-api-key/key/secret |
OPENCODE_API_KEY |
/var/lib/clan/var/shared/opencode-api-key/key/secret |
FIREWORKS_API_KEY |
/var/lib/clan/var/shared/fireworks-api-key/key/secret |
XAI_API_KEY |
/var/lib/clan/var/shared/xai-api-key/key/secret |
TELEGRAM_BOT_TOKEN |
/var/lib/clan/var/shared/telegram-bot-token/token/secret |
COHERE_API_KEY |
/var/lib/clan/var/shared/cohere-api-key/key/secret |
Secret Rotation Runbook
Section titled “Secret Rotation Runbook”All secrets are Clan vars (SOPS-encrypted). The generator name is the value in
generator = "..." in lib/secret-registry.nix; the file attr is usually key
(or token / client_id / client_secret / password). Commands assume you
run them from the repo root with access to the Clan admin key.
Deploy after any rotation with
just update-<machine>(=clan machines update <machine>) for the machines that consume the secret — see Machine Inventory for the machine→secret mapping. There is nojust deployrecipe.
1. Prompted API keys / tokens (most secrets)
Section titled “1. Prompted API keys / tokens (most secrets)”These are populated from an interactive prompt (mkPromptedSecret). To rotate:
## Re-enter the value interactively; this re-encrypts the var for all authorized machines.clan vars set <machine> <generator-name> # e.g. clan vars set vanessa deepseek-api-key## Shared (machine-independent) secrets are stored under the shared scope; set on any one machine.just update-vanessa # redeploy consumersTo find which machines use a key, grep lib/machine-env-matrix.nix for the logical key name.
2. Auto-generated secrets (no prompt)
Section titled “2. Auto-generated secrets (no prompt)”Secrets created by a generator script (hex/random tokens) are rotated by deleting and regenerating:
clan vars delete <machine> <generator-name>clan vars generate <machine> # or: just vars-generate <machine>just update-<machine>3. Email passwords
Section titled “3. Email passwords”clan vars set <machine> gmail-passwordclan vars set <machine> icloud-password4. Multi-file generators (OAuth / Cloudflare tunnel)
Section titled “4. Multi-file generators (OAuth / Cloudflare tunnel)”Generators such as cloudflare-tunnel-creds (tunnel-id + credentials-json) or the
Google OAuth creds expose multiple files. Re-run clan vars set for the generator
and re-enter each prompted field, then redeploy the consuming machine.
5. Verify
Section titled “5. Verify”After redeploy, confirm the consumer picked up the new value (e.g. restart the
relevant service and check it authenticates). For agent VMs, secrets re-flow from
the host bundle on the next agent-vm-prep run / VM restart (see
Agent VM & MicroVM).