diff --git a/dotfiles/.config/age/run_once_before_decrypt-private-key.sh.tmpl b/dotfiles/.config/age/run_once_before_decrypt-private-key.sh.tmpl index 9173cc21..321e6f0d 100644 --- a/dotfiles/.config/age/run_once_before_decrypt-private-key.sh.tmpl +++ b/dotfiles/.config/age/run_once_before_decrypt-private-key.sh.tmpl @@ -7,7 +7,7 @@ fi if [ -f "{{ .chezmoi.sourceDir }}/key.txt.age" ]; then # TODO - logg 'Decrypting' + logg 'Decrypting age key' age --decrypt --output "$HOME/.config/age/key.txt" "{{ .chezmoi.sourceDir }}/key.txt.age" chmod 600 "$HOME/.config/age/key.txt" fi diff --git a/dotfiles/.local/share/chezmoi/home/.chezmoi.yaml.tmpl b/dotfiles/.local/share/chezmoi/home/.chezmoi.yaml.tmpl index 9c836d2c..ccb5c357 100644 --- a/dotfiles/.local/share/chezmoi/home/.chezmoi.yaml.tmpl +++ b/dotfiles/.local/share/chezmoi/home/.chezmoi.yaml.tmpl @@ -2,6 +2,7 @@ {{- $email := "noreply@megabyte.space" -}} {{- $restricted := false -}} {{- $work := false -}} +{{- $gpgKeyId := "0xF0A300E4199A1C33" -}} {{- $gmailAddress := "noreply@gmail.com" -}} {{- $gmailAddressAppPassword := "" -}} {{- $domain := "megabyte.space" -}} @@ -98,6 +99,7 @@ {{- $_ := set $toolchainsEnabled $toolchain $enabled }} {{- end }} +{{- $gpgKeyId = promptStringOnce $data.user "gpgKeyId" "Public GPG key ID" $gpgKeyId -}} {{- $domain = promptStringOnce $data.user "domain" "Domain" $domain -}} {{- $timezone = promptStringOnce $data.user "timezone" "Timezone" $timezone -}} {{- $cloudflareUsername = promptStringOnce $data.user "cloudflareUsername" "CloudFlare E-Mail" $email -}} @@ -117,11 +119,9 @@ {{- writeToStdout "Chezmoi is running in headless environment.\n" -}} {{- end -}} -{{- if not $headless -}} -age: - identity: "{{ .chezmoi.homeDir }}/.config/age/key.txt" - recipient: "age16kxd4ljclq9ksnxvl2ee7a5xnj744kwyv04p04ka0n3rzxdpl5nsq52svl" -{{- end }} +encryption: gpg +gpg: + recipient: "..." data: host: arch: "{{ .chezmoi.arch }}" @@ -147,6 +147,8 @@ data: name: "{{ $name }}" username: "{{ output "echo" "$USER" }} domain: "{{ $domain }}" + gpg: + id: "{{ $gpgKeyId }}" gmailAddress: "{{ $gmailAddress }}" gmailAddressAppPassword: "{{ $gmailAddressAppPassword }}" githubUsername: "{{ $githubUsername }}" diff --git a/dotfiles/.local/share/chezmoi/home/.chezmoidata.yml b/dotfiles/.local/share/chezmoi/home/.chezmoidata.yml index fe560644..2c867049 100644 --- a/dotfiles/.local/share/chezmoi/home/.chezmoidata.yml +++ b/dotfiles/.local/share/chezmoi/home/.chezmoidata.yml @@ -14,3 +14,5 @@ colors: color12: color13: color14: +config: + gpg: https://raw.githubusercontent.com/drduh/config/master/gpg.conf diff --git a/dotfiles/.local/share/chezmoi/home/.chezmoiexternal.toml b/dotfiles/.local/share/chezmoi/home/.chezmoiexternal.toml index df38c987..9f9cb6da 100644 --- a/dotfiles/.local/share/chezmoi/home/.chezmoiexternal.toml +++ b/dotfiles/.local/share/chezmoi/home/.chezmoiexternal.toml @@ -87,6 +87,12 @@ url = "https://raw.githubusercontent.com/junegunn/vim-plug/master/plug.vim" refreshPeriod = "{{ $refreshPeriod }}" +### GPG +[".gnupg/gpg.conf"] + type = "file" + url = "https://raw.githubusercontent.com/drduh/config/master/gpg.conf" + refreshPeriod = "{{ $refreshPeriod }}" + ### Taskfiles [".local/src/shared-common"] type = "git-repo" diff --git a/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/_universal/run_onchange_before_90-install-packages.tmpl b/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/_universal/run_onchange_before_90-install-packages.tmpl new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/_universal/run_onchange_before_90-install-packages.tmpl @@ -0,0 +1 @@ + diff --git a/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/_universal/run_onchange_before_91-configure-gpg.tmpl b/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/_universal/run_onchange_before_91-configure-gpg.tmpl new file mode 100644 index 00000000..4ef6f474 --- /dev/null +++ b/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/_universal/run_onchange_before_91-configure-gpg.tmpl @@ -0,0 +1,25 @@ +#!/usr/bin/env bash + +{{- includeTemplate "universal/profile" }} +{{- includeTemplate "universal/logg" }} + +KEYID={{ .user.gpg.id }} + +if command -v gpg > /dev/null; then + if [ -d "$HOME/.gnupg" ]; then + logg 'Backing up the current ~/.gnupg to ~/.gnupg.bak' + cp -rf "$HOME/.gnupg" "$HOME/.gnupg.bak" + fi + if [ ! -f "$HOME/.gnupg/gpg.conf ]; then + logg 'Downloading hardened gpg.conf file to ~/.gpnupg/gpg.conf' + mkdir -p "$HOME/.gnupg + curl -sSL {{ .config.gpg }} > "$HOME/.gnupg/gpg.conf" + chmod 600 "$HOME/.gnupg/gpg.conf + fi + logg 'Attempting to download the specified public GPG key ({{ .user.gpg.id }}) from public keyservers' + gpg --recv "$KEYID" + logg 'Automatically setting the trust of the public GPG key to maximum' + echo -e "trust\n5\ny" | gpg --command-fd 0 --edit-key "$KEYID" +else + logg warn '`gpg` is unavailable in the PATH' +fi diff --git a/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/archlinux/run_onchange_before_10_install-archlinux-dependencies.tmpl b/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/archlinux/run_onchange_before_10_install-archlinux-dependencies.tmpl index f3029b2f..3a6116d6 100644 --- a/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/archlinux/run_onchange_before_10_install-archlinux-dependencies.tmpl +++ b/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/archlinux/run_onchange_before_10_install-archlinux-dependencies.tmpl @@ -3,6 +3,16 @@ {{- includeTemplate "universal/logg" }} {{- $packages := splitList " " (includeTemplate "universal/essential-packages" .) }} +{{- $gpgDependencies := list +gnupg2 +gnupg-agent +gnupg-curl +scdaemon +pcscd +-}} +{{- if .toolchains.gpg }} +{{- $packages = concat $packages $gpgDependencies -}} +{{- end }} {{- $pyenvDependencies := list "base-devel" "openssl" diff --git a/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/centos/run_onchange_before_10-install-centos-dependencies.tmpl b/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/centos/run_onchange_before_10-install-centos-dependencies.tmpl index 56e7986e..cc03d181 100644 --- a/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/centos/run_onchange_before_10-install-centos-dependencies.tmpl +++ b/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/centos/run_onchange_before_10-install-centos-dependencies.tmpl @@ -4,6 +4,16 @@ {{- $packages := splitList " " (includeTemplate "universal/essential-packages" .) }} # TODO - Add Python dependencies like in ubuntu/archlinux +{{- $gpgDependencies := list +gnupg2 +gnupg-agent +gnupg-curl +scdaemon +pcscd +-}} +{{- if .toolchains.gpg }} +{{- $packages = concat $packages $gpgDependencies -}} +{{- end }} logg 'Installing common dependencies using `dnf`' logg info 'Dependencies: {{ $packages | sortAlpha | uniq | join " " -}}' diff --git a/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/debian/run_onchange_before_10-install-debian-dependencies.tmpl b/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/debian/run_onchange_before_10-install-debian-dependencies.tmpl index 4ac6ff79..bb1aa5d2 100644 --- a/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/debian/run_onchange_before_10-install-debian-dependencies.tmpl +++ b/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/debian/run_onchange_before_10-install-debian-dependencies.tmpl @@ -3,6 +3,16 @@ {{- includeTemplate "universal/logg" }} {{- $packages := splitList " " (includeTemplate "universal/essential-packages" .) -}} +{{- $gpgDependencies := list +gnupg2 +gnupg-agent +gnupg-curl +scdaemon +pcscd +-}} +{{- if .toolchains.gpg }} +{{- $packages = concat $packages $gpgDependencies -}} +{{- end }} {{- $pyenvDependencies := list "make" "build-essential" diff --git a/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/fedora/run_onchange_before_10-install-fedora-dependencies.tmpl b/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/fedora/run_onchange_before_10-install-fedora-dependencies.tmpl index 56e7986e..cc03d181 100644 --- a/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/fedora/run_onchange_before_10-install-fedora-dependencies.tmpl +++ b/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/fedora/run_onchange_before_10-install-fedora-dependencies.tmpl @@ -4,6 +4,16 @@ {{- $packages := splitList " " (includeTemplate "universal/essential-packages" .) }} # TODO - Add Python dependencies like in ubuntu/archlinux +{{- $gpgDependencies := list +gnupg2 +gnupg-agent +gnupg-curl +scdaemon +pcscd +-}} +{{- if .toolchains.gpg }} +{{- $packages = concat $packages $gpgDependencies -}} +{{- end }} logg 'Installing common dependencies using `dnf`' logg info 'Dependencies: {{ $packages | sortAlpha | uniq | join " " -}}' diff --git a/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/freebsd/run_onchange_before_11-install-freebsd-packages.tmpl b/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/freebsd/run_onchange_before_11-install-freebsd-packages.tmpl index dc076295..d5751bc3 100644 --- a/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/freebsd/run_onchange_before_11-install-freebsd-packages.tmpl +++ b/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/freebsd/run_onchange_before_11-install-freebsd-packages.tmpl @@ -4,6 +4,16 @@ {{- $packages := splitList " " (includeTemplate "universal/essential-packages" .) }} # TODO - Add Python dependencies like in ubuntu/archlinux +{{- $gpgDependencies := list +gnupg2 +gnupg-agent +gnupg-curl +scdaemon +pcscd +-}} +{{- if .toolchains.gpg }} +{{- $packages = concat $packages $gpgDependencies -}} +{{- end }} logg 'Installing common dependencies using `pkg`' logg info 'Dependencies: {{ $packages | sortAlpha | uniq | join " " -}}' diff --git a/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/opensuse/run_onchange_before_11-install-opensuse-software.tmpl b/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/opensuse/run_onchange_before_11-install-opensuse-software.tmpl index 88887e78..943d306c 100644 --- a/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/opensuse/run_onchange_before_11-install-opensuse-software.tmpl +++ b/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/opensuse/run_onchange_before_11-install-opensuse-software.tmpl @@ -4,6 +4,16 @@ {{- $packages := splitList " " (includeTemplate "universal/essential-packages" .) }} # TODO - Add Python dependencies like in ubuntu/archlinux +{{- $gpgDependencies := list +gnupg2 +gnupg-agent +gnupg-curl +scdaemon +pcscd +-}} +{{- if .toolchains.gpg }} +{{- $packages = concat $packages $gpgDependencies -}} +{{- end }} logg 'Installing common dependencies using `zypper`' logg info 'Dependencies: {{ $packages | sortAlpha | uniq | join " " -}}' diff --git a/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/ubuntu/run_onchange_before_10_install-ubuntu-dependencies.tmpl b/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/ubuntu/run_onchange_before_10_install-ubuntu-dependencies.tmpl index 4ac6ff79..ef13699b 100644 --- a/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/ubuntu/run_onchange_before_10_install-ubuntu-dependencies.tmpl +++ b/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/ubuntu/run_onchange_before_10_install-ubuntu-dependencies.tmpl @@ -25,6 +25,16 @@ {{- if .toolchains.python }} {{- $packages = concat $packages $pyenvDependencies -}} {{- end }} +{{- $gpgDependencies := list +gnupg2 +gnupg-agent +gnupg-curl +scdaemon +pcscd +-}} +{{- if .toolchains.gpg }} +{{- $packages = concat $packages $gpgDependencies -}} +{{- end }} logg 'Installing common dependencies using `apt-get`' logg info 'Dependencies: {{ $packages | sortAlpha | uniq | join " " -}}' diff --git a/dotfiles/.local/share/chezmoi/home/.chezmoitemplates/darwin/Brewfile b/dotfiles/.local/share/chezmoi/home/.chezmoitemplates/darwin/Brewfile index 9b925a65..dd05ae28 100644 --- a/dotfiles/.local/share/chezmoi/home/.chezmoitemplates/darwin/Brewfile +++ b/dotfiles/.local/share/chezmoi/home/.chezmoitemplates/darwin/Brewfile @@ -31,6 +31,8 @@ if OS.mac? brew "grep" brew "m-cli" end +# Required for GPG encryption +brew "gnupg" # Required for logging (already installed but installing again so Homebrew can manage them) brew "glow" brew "gum"