diff --git a/dotfiles/.local/share/chezmoi/home/.chezmoi.yaml.tmpl b/dotfiles/.local/share/chezmoi/home/.chezmoi.yaml.tmpl index 4e54cebe..fcaf0e75 100644 --- a/dotfiles/.local/share/chezmoi/home/.chezmoi.yaml.tmpl +++ b/dotfiles/.local/share/chezmoi/home/.chezmoi.yaml.tmpl @@ -118,7 +118,10 @@ {{- writeToStdout "Chezmoi is running in headless environment.\n" -}} {{- end -}} -encryption: "gpg" +encryption = "age" +age: + identity = "{{ .chezmoi.homeDir }}/.config/age/chezmoi.txt" + recipient = "age1necy24c4lzxheey4p2m8v4q000n442wyv47qc640ulyxx9l8dpesdqv7ey" gpg: recipient: "{{ $gpgKeyId }}" data: diff --git a/dotfiles/.local/share/chezmoi/home/.chezmoiignore b/dotfiles/.local/share/chezmoi/home/.chezmoiignore index 5889ec10..e2db2286 100644 --- a/dotfiles/.local/share/chezmoi/home/.chezmoiignore +++ b/dotfiles/.local/share/chezmoi/home/.chezmoiignore @@ -1,4 +1,4 @@ -key.txt.age +chezmoi.txt.age .chezmoiscripts/**/* !.chezmoiscripts/{{ .host.distro.id }}/**/* diff --git a/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/_universal/run_once_before_decrypt-age-key.tmpl b/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/_universal/run_once_before_decrypt-age-key.tmpl new file mode 100644 index 00000000..97f744f4 --- /dev/null +++ b/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/_universal/run_once_before_decrypt-age-key.tmpl @@ -0,0 +1,9 @@ +#!/bin/sh + +XDG_CONFIG_HOME="$HOME/.config" + +if [ ! -f "${XDG_CONFIG_HOME}/age/chezmoi.txt" ]; then + mkdir -p "${XDG_CONFIG_HOME}/age" + age --decrypt --output "${XDG_CONFIG_HOME}/age/chezmoi.txt" "{{ .chezmoi.sourceDir }}/chezmoi.txt.age" + chmod 600 "${XDG_CONFIG_HOME}/age/chezmoi.txt" +fi diff --git a/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/_universal/run_onchange_before_91-configure-gpg.tmpl b/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/_universal/run_onchange_before_91-configure-gpg.tmpl index 4ef6f474..3c2d3360 100644 --- a/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/_universal/run_onchange_before_91-configure-gpg.tmpl +++ b/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/_universal/run_onchange_before_91-configure-gpg.tmpl @@ -3,23 +3,29 @@ {{- includeTemplate "universal/profile" }} {{- includeTemplate "universal/logg" }} -KEYID={{ .user.gpg.id }} +KEYID="{{ .user.gpg.id }}" -if command -v gpg > /dev/null; then - if [ -d "$HOME/.gnupg" ]; then - logg 'Backing up the current ~/.gnupg to ~/.gnupg.bak' - cp -rf "$HOME/.gnupg" "$HOME/.gnupg.bak" +if [ -n "$KEYID" ] && command -v gpg > /dev/null; then + if [ ! -d "$HOME/.gnupg" ]; then + mkdir "$HOME/.gnupg" fi - if [ ! -f "$HOME/.gnupg/gpg.conf ]; then + chown -R "$(whoami)" "$HOME/.gnupg/" + find "$HOME/.gnupg" -type f -exec chmod 600 {} \; + find "$HOME/.gnupg" -type d -exec chmod 700 {} \; + if [ ! -f "$HOME/.gnupg/gpg.conf" ]; then logg 'Downloading hardened gpg.conf file to ~/.gpnupg/gpg.conf' - mkdir -p "$HOME/.gnupg - curl -sSL {{ .config.gpg }} > "$HOME/.gnupg/gpg.conf" - chmod 600 "$HOME/.gnupg/gpg.conf + curl -sSL "{{ .config.gpg }}" > "$HOME/.gnupg/gpg.conf" + chmod 600 "$HOME/.gnupg/gpg.conf" fi - logg 'Attempting to download the specified public GPG key ({{ .user.gpg.id }}) from public keyservers' - gpg --recv "$KEYID" - logg 'Automatically setting the trust of the public GPG key to maximum' + KEYID_TRIMMED="$(echo "$KEYID" | sed 's/^0x//')" + if ! gpg --list-secret-keys --keyid-format=long | grep "$KEYID_TRIMMED" > /dev/null; then + logg info 'Attempting to download the specified public GPG key (`{{ .user.gpg.id }}`) from public keyservers' + gpg --recv "$KEYID" + else + logg info 'Key is already in keyring' + fi + logg 'Ensuring the trust of the provided public GPG key is set to maximum' echo -e "trust\n5\ny" | gpg --command-fd 0 --edit-key "$KEYID" else - logg warn '`gpg` is unavailable in the PATH' + logg warn '`gpg` appears to be unavailable. Is it installed and on the PATH?' fi diff --git a/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/darwin/run_onchange_before_10_install-darwin-dependencies.tmpl b/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/darwin/run_onchange_before_10_install-darwin-dependencies.tmpl index bb75b3ef..d416464a 100644 --- a/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/darwin/run_onchange_before_10_install-darwin-dependencies.tmpl +++ b/dotfiles/.local/share/chezmoi/home/.chezmoiscripts/darwin/run_onchange_before_10_install-darwin-dependencies.tmpl @@ -5,11 +5,11 @@ if command -v brew > /dev/null; then logg 'Installing base dependencies for macOS using `brew bundle`' - logg info 'Dependencies: age asdf jq node go-task/tap/go-task volta yq m-cli zx' + logg info 'Dependencies: asdf jq node go-task/tap/go-task volta yq m-cli zx' logg info 'GNU compatibility dependencies: coreutils findutils gawk gnu-getopt gnu-indent gnu-tar gnu-sed gnutls grep' brew bundle --verbose --no-lock --file=/dev/stdin <