Fix freeze

.sops.yaml

@@ -3,6 +3,7 @@ keys:
   - &muho age1v4s4hg7u3vjjkarvrk7v6ev7w3wja2r5xm7f4t06culw3fuq7qns8sfju7
   - &mups age1n7qz2w3hkf7fcdv92kxw9k6uef487na2tlc87486rcjwj8lyfuws5q46gn
   - &murk age1mgjhkqy9x27gv2t2xvq46dxcajkr9c8zes7rr3dj0ac7md2j6vas43dftp
+  - &musk age1m97a3eptxwpdd7h5kkqe9gkmhg6rquc64qjmlsfqfhfqv8q72crqrylhgc
 
 creation_rules:
   - path_regex: modules/nixos/sops/secrets.ya?ml$
@@ -12,6 +13,7 @@ creation_rules:
       - *muho
       - *mups
       - *murk
+      - *musk
 
   - path_regex: modules/home/sops/secrets.ya?ml$
     key_groups:
@@ -20,3 +22,4 @@ creation_rules:
       - *muho
       - *mups
       - *murk
+      - *musk

modules/home/sops/default.nix

@@ -17,5 +17,7 @@ in
       secrets.atuin-auth = {};
       secrets.hr-password = {};
       secrets.sops-key = {};
+      secrets.google-db-test = {};
+      secrets.google-db-prod = {};
     };
   }

modules/home/sops/secrets.yaml

@@ -2,6 +2,8 @@ zipline-auth: ENC[AES256_GCM,data:RkJI6GuH7RzdcSlKn32gMGojjB6rkdDcnNUvsi/BTfJk2s
 atuin-auth: ENC[AES256_GCM,data:LDkiXWIwxor8Ro383gonJCyqu+nyxS7DrI2J8uo4Cqu2X61rBUlnpNR6YirUZS/lYAnWYJhZM7sR0G7ZNh9EgQ==,iv:UEs2KW8ImMnaQrSLrIGbVXEq86QiVPAPNIXBZpa3jFI=,tag:N0rhnPbasFzkoI3CJ9CV+Q==,type:str]
 hr-password: ENC[AES256_GCM,data:QZuzAnTJ2KgPnffHvdCWrJEM5d/FXxhX3dA1,iv:FgDw6aXDY0jCpJiYc9WOobR96TXNtnvN7neJu8drxMM=,tag:YT82wryVy3V+41w0YbMOrA==,type:str]
 sops-key: ENC[AES256_GCM,data:msX0EJqJauteOBICUsLcVgqNxqGcqvD+Xi/B2EhUX2OAoyBH5oDae8XWlQCi2RdOm4NtnrSTnG8FRQXfkXO+tne0VEfYTCjeVtU=,iv:qxpvofr56Ey17xcPpju/mQgiz+0cOYED5caAHs3myXw=,tag:oDFXh0rlc0tmV2IUJ1ezBQ==,type:str]
+google-db-test: ENC[AES256_GCM,data:ZMm/BF/k+XnZZkHMDSV/fk3ds0LAOHAmag==,iv:tmfJ7ju5yAO6Oco3jXYNyqzJr7cgshyd/SkjfYnEl6U=,tag:jMD2N6TsgbRwefhJ/XYhtg==,type:str]
+google-db-prod: ENC[AES256_GCM,data:fIPL9XKk9sAmpVsQBubSVbh3DlEEKadG9g==,iv:R34zkCIUDlk5/wg8eU8RZIanGayL+nX+7ZhyVmbcQC0=,tag:lu24b28742O46fjUaw2UBA==,type:str]
 sops:
     age:
         - recipient: age1m97a3eptxwpdd7h5kkqe9gkmhg6rquc64qjmlsfqfhfqv8q72crqrylhgc
@@ -40,7 +42,7 @@ sops:
             a0V1N2VjUDE4Z3R5MGxMQVNmOVp0bVUK9cppJW33tKFOSvbIn/2Dga8k7/McaTpK
             m7M+83guMzNoOlpJ/WYU1BaePcM974AgjVR0WD/v+xGBvGKubKHqtw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-04T07:58:56Z"
-    mac: ENC[AES256_GCM,data:aJw3KK4GMj5/Q06v1C5rdSerdO21cNxpTIJYoxmfhBKudzD7lSL6l+d47kWoB0U4J5jtbs9obWz2MH3CvyPBapjJaSFnYEXk1JuGihf8GK3QrqLAt+dmF2ZD1FBLpQELripueneyHkzT32180hpXGnppNlgOuATlIMSPosvlpVI=,iv:SpGAyTqqbpuxcLkMq7VnLQUoR6oW0ERgnyPaqVHpaN8=,tag:OSNGT8/5E+PRhoR8dIyaSA==,type:str]
+    lastmodified: "2026-01-21T14:37:21Z"
+    mac: ENC[AES256_GCM,data:bxr3U1Ig0qjuOcxHeOlOrXO0xtZs0vKTuXn8GE1dJGCFDjVgakbIwiW6+2WNYUbIpipCAwdecgb0jBngwt3zKGS4PMzapUXxl7RoCr5DWCh6kSD4CCUH4v8guuy0k8SMQXDO3CdbUd/5/asIPfxlvEESCQL54X2OJlt5xpE7PsU=,iv:m/lrHHFYXFKCVEOK462II8bcFvw7k4rKEuMOHHmzT/8=,tag:jgEQso2bAShLJERsOHhrKw==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0

modules/home/terminal/hr/default.nix

@@ -6,11 +6,53 @@
 }: let
   cfg = config.mods.terminal;
 
-  hr = pkgs.writeShellScriptBin "hr" (builtins.readFile ./hr.sh);
+  test-port = "5436";
+  prod-port = "5437";
 in {
   options.mods.terminal.hr.enable = lib.mkEnableOption "Hefring (Work Tooling)";
 
   config = lib.mkIf cfg.hr.enable {
-    home.packages = [hr];
+    programs.starship.settings.custom.project_id = {
+      command = "if echo \"$PROJECT_ID\" | grep -q \"prod\"; then printf \"\\033[1;33m \\033[1;34m$PROJECT_ID\\033[0m\"; else printf \"\\033[1;34m$PROJECT_ID\\033[0m\"; fi";
+      when = "test -n \"$PROJECT_ID\"";
+      format = "on $output ";
+    };
+
+    programs.zsh.initExtra =
+      ''
+        export MK2_TEST_SQL_INSTANCE_USER=gijs
+        export MK2_TEST_SQL_INSTANCE_PASSWORD="$(cat ${config.sops.secrets.google-db-test.path})"
+        export MK2_TEST_SQL_INSTANCE_PORT=${test-port}
+        export MK2_TEST_SQL_INSTANCE_HOST=localhost
+        export MK2_PROD_SQL_INSTANCE_USER=gijs
+        export MK2_PROD_SQL_INSTANCE_PASSWORD="$(cat ${config.sops.secrets.google-db-prod.path})"
+        export MK2_PROD_SQL_INSTANCE_HOST=localhost
+        export MK2_PROD_SQL_INSTANCE_PORT=${prod-port}
+      ''
+      + builtins.readFile ./hr.sh;
+
+    systemd.user.services = let
+      proxy-service = name: port: {
+        "google-db-proxy-${name}" = {
+          Unit = {
+            Description = "Google Cloud SQL Proxy (${name})";
+            After = ["network.target"];
+          };
+          Service = {
+            Type = "simple";
+            Environment = [
+              "GOOGLE_APPLICATION_CREDENTIALS=${config.home.homeDirectory}/.config/gcloud/application_default_credentials.json"
+            ];
+            ExecStart = "${pkgs.google-cloud-sql-proxy}/bin/cloud-sql-proxy mk2-${name}:europe-west1:mk2-${name}-sql-instance -p ${port}";
+            Restart = "always";
+          };
+          Install = {
+            WantedBy = ["default.target"];
+          };
+        };
+      };
+    in
+proxy-service "test" test-port
+       // proxy-service "prod" prod-port;
   };
 }

modules/home/terminal/hr/hr.sh

@@ -1,8 +1,19 @@
-#!/usr/bin/env bash
+# Set default PROJECT_ID if not already set
+if [[ -z "$PROJECT_ID" ]]; then
+  export PROJECT_ID="mk2-test"
+fi
 
-set -e
+_hr_usage() {
+  echo "Usage: hr <command>"
+  echo "Commands:"
+  echo "  switch    Switch PROJECT_ID between mk2-test and mk2-prod"
+  echo "  call      Call a Cloud Run service route"
+  echo "  cf        Call a Cloud Function"
+  echo "  init py   Initialize a python devenv environment (git-ignored)"
+  echo "  freeze    Freeze dependencies to requirements.txt"
+}
 
-if [ "$1" = "py" ] && [ "$2" = "init" ]; then
+_hr_init_py() {
   echo "Initializing python devenv..."
 
   # 1. Init devenv
@@ -15,7 +26,7 @@ if [ "$1" = "py" ] && [ "$2" = "init" ]; then
     echo "Direnv allowed"
   else
     echo "Error: devenv not found in path."
-    exit 1
+    return 1
   fi
 
   if [ -f .gitignore.bak ]; then
@@ -91,11 +102,209 @@ EOF
     echo "Direnv allowed"
   else
     echo "Error: direnv not found in path."
-    exit 1
+    return 1
+  fi
+}
+
+_hr_freeze() {
+  local extra_index_url="https://europe-west1-python.pkg.dev/mk2-prod/python-packages/simple/"
+
+  # Install the auth plugin and keyring CLI
+  uv pip install keyrings.google-artifactregistry-auth==1.1.2 keyring
+
+  # Install project dependencies using the subprocess keyring provider
+  uv pip install --no-cache -e ".[test]" --extra-index-url "${extra_index_url}" --keyring-provider subprocess
+
+  # Generate requirements.txt
+  echo "--extra-index-url ${extra_index_url}" >requirements.txt
+  uv pip freeze --exclude-editable >>requirements.txt
+}
+
+_hr_add_json_field() {
+  local json="$1"
+  local key="$2"
+  local value="$3"
+  local jq_opt="--arg"
+
+  # Check if explicit boolean
+  if [[ "$value" == "true" || "$value" == "false" ]]; then
+    jq_opt="--argjson"
+  # Check if number (integer or float, no leading zeros unless just 0)
+  elif [[ "$value" =~ ^-?(0|[1-9][0-9]*)(\.[0-9]+)?$ ]]; then
+    jq_opt="--argjson"
+  # Check if object or array
+  elif [[ "$value" == "["* || "$value" == "{"* ]]; then
+    if echo "$value" | jq empty >/dev/null 2>&1; then
+      jq_opt="--argjson"
+    else
+      # Warn to stderr, but proceed as string
+      echo "Warning: Value for '$key' looks like JSON but is invalid. Treating as string." >&2
+    fi
   fi
 
-else
-  echo "Usage: hr py init"
-  echo "  py init   Initialize a python devenv environment (git-ignored)"
-  exit 1
-fi
+  # Apply the value at the path defined by the key (dot-notation supported)
+  # paths like items.0.id are converted to ["items", 0, "id"]
+  echo "$json" | jq --arg k "$key" $jq_opt v "$value" \
+    'setpath($k | split(".") | map(if test("^[0-9]+$") then tonumber else . end); $v)'
+}
+
+_hr_call() {
+  local route_arg="$1"
+  shift
+
+  if [[ -z "$route_arg" ]]; then
+    echo "Usage: hr call <route-name>[/path] <options>"
+    return 1
+  fi
+
+  local service_name
+  local url_path
+
+  if [[ "$route_arg" == */* ]]; then
+    service_name="${route_arg%%/*}"
+    url_path="/${route_arg#*/}"
+  else
+    service_name="$route_arg"
+    url_path=""
+  fi
+
+  local project_number
+  if [[ "$PROJECT_ID" == "mk2-prod" ]]; then
+    project_number="1013087376822"
+  else
+    project_number="322048751601"
+  fi
+
+  if ! command -v jq >/dev/null; then
+    echo "Error: jq is required but not installed."
+    return 1
+  fi
+
+  local json_payload="{}"
+
+  while [[ $# -gt 0 ]]; do
+    if [[ "$1" == -* ]]; then
+      local key="${1#-}"
+      if [[ -z "$2" || "$2" == -* ]]; then
+        echo "Error: Missing value for option $key"
+        return 1
+      fi
+      local value="$2"
+
+      json_payload=$(_hr_add_json_field "$json_payload" "$key" "$value")
+      shift 2
+    else
+      echo "Error: Unexpected argument '$1'"
+      return 1
+    fi
+  done
+
+  local url="https://${service_name}-${project_number}.europe-west1.run.app${url_path}"
+
+  echo "Calling $url..."
+  echo "$json_payload"
+
+  curl "$url" \
+    -H "Authorization: bearer $(gcloud auth print-identity-token)" \
+    -H "Content-Type: application/json" \
+    -d "$json_payload"
+}
+
+_hr_cf() {
+  local function_name="$1"
+  shift
+
+  if [[ -z "$function_name" ]]; then
+    echo "Usage: hr cf <function-name> <options>"
+    return 1
+  fi
+
+  if ! command -v jq >/dev/null; then
+    echo "Error: jq is required but not installed."
+    return 1
+  fi
+
+  local json_payload="{}"
+
+  while [[ $# -gt 0 ]]; do
+    if [[ "$1" == -* ]]; then
+      local key="${1#-}"
+      if [[ -z "$2" || "$2" == -* ]]; then
+        echo "Error: Missing value for option $key"
+        return 1
+      fi
+      local value="$2"
+
+      json_payload=$(_hr_add_json_field "$json_payload" "$key" "$value")
+      shift 2
+    else
+      echo "Error: Unexpected argument '$1'"
+      return 1
+    fi
+  done
+
+  local url="https://europe-west1-${PROJECT_ID}.cloudfunctions.net/${function_name}"
+
+  echo "Calling $url..."
+  echo "$json_payload"
+
+  curl "$url" \
+    -H "Authorization: bearer $(gcloud auth print-identity-token)" \
+    -H "Content-Type: application/json" \
+    -d "$json_payload"
+}
+
+hr() {
+  if [[ $# -eq 0 ]]; then
+    _hr_usage
+    return 1
+  fi
+
+  local command="$1"
+  shift
+
+  if [[ "$command" == "switch" ]]; then
+    if [[ -z "$1" ]]; then
+      # Toggle between test and prod
+      if [[ "$PROJECT_ID" == "mk2-test" ]]; then
+        export PROJECT_ID="mk2-prod"
+        echo "Switched PROJECT_ID to mk2-prod"
+      else
+        export PROJECT_ID="mk2-test"
+        echo "Switched PROJECT_ID to mk2-test"
+      fi
+    elif [[ "$1" == "test" ]]; then
+      export PROJECT_ID="mk2-test"
+      echo "Set PROJECT_ID to mk2-test"
+    elif [[ "$1" == "prod" ]]; then
+      export PROJECT_ID="mk2-prod"
+      echo "Set PROJECT_ID to mk2-prod"
+    else
+      echo "Usage: hr switch [test|prod]"
+      return 1
+    fi
+    return 0
+  fi
+
+  # Run original logic in a subshell to preserve set -e behavior without affecting current shell
+  (
+    set -e
+    # Restore arguments for processing
+    set -- "$command" "$@"
+
+    if [ "$1" = "init" ] && [ "$2" = "py" ]; then
+      _hr_init_py
+    elif [ "$1" = "freeze" ]; then
+      _hr_freeze
+    elif [ "$1" = "call" ]; then
+      shift
+      _hr_call "$@"
+    elif [ "$1" = "cf" ]; then
+      shift
+      _hr_cf "$@"
+    else
+      _hr_usage
+      exit 1
+    fi
+  )
+}