Update dotfiles/.local/share/chezmoi/home/.chezmoiscripts/_universal/run_onchange_before_91-configure-gpg.tmpl, dotfiles/.local/share/chezmoi/home/.chezmoiscripts/darwin/run_onchange_before_10_install-darwin-dependencies.tmpl, dotfiles/.local/share/chezmoi/home/.chezmoi.yaml.tmpl, dotfiles/.local/share/chezmoi/home/.chezmoiscripts/_universal/run_once_before_decrypt-age-key.tmpl, dotfiles/.local/share/chezmoi/home/.chezmoiignore, dotfiles/.local/share/chezmoi/home/chezmoi.txt.age

This commit is contained in:
Brian Zalewski 2022-11-28 03:44:11 +00:00
parent 908fb72da9
commit 263720fd94
6 changed files with 35 additions and 17 deletions

View file

@ -118,7 +118,10 @@
{{- writeToStdout "Chezmoi is running in headless environment.\n" -}}
{{- end -}}
encryption: "gpg"
encryption = "age"
age:
identity = "{{ .chezmoi.homeDir }}/.config/age/chezmoi.txt"
recipient = "age1necy24c4lzxheey4p2m8v4q000n442wyv47qc640ulyxx9l8dpesdqv7ey"
gpg:
recipient: "{{ $gpgKeyId }}"
data:

View file

@ -1,4 +1,4 @@
key.txt.age
chezmoi.txt.age
.chezmoiscripts/**/*
!.chezmoiscripts/{{ .host.distro.id }}/**/*

View file

@ -0,0 +1,9 @@
#!/bin/sh
XDG_CONFIG_HOME="$HOME/.config"
if [ ! -f "${XDG_CONFIG_HOME}/age/chezmoi.txt" ]; then
mkdir -p "${XDG_CONFIG_HOME}/age"
age --decrypt --output "${XDG_CONFIG_HOME}/age/chezmoi.txt" "{{ .chezmoi.sourceDir }}/chezmoi.txt.age"
chmod 600 "${XDG_CONFIG_HOME}/age/chezmoi.txt"
fi

View file

@ -3,23 +3,29 @@
{{- includeTemplate "universal/profile" }}
{{- includeTemplate "universal/logg" }}
KEYID={{ .user.gpg.id }}
KEYID="{{ .user.gpg.id }}"
if command -v gpg > /dev/null; then
if [ -d "$HOME/.gnupg" ]; then
logg 'Backing up the current ~/.gnupg to ~/.gnupg.bak'
cp -rf "$HOME/.gnupg" "$HOME/.gnupg.bak"
if [ -n "$KEYID" ] && command -v gpg > /dev/null; then
if [ ! -d "$HOME/.gnupg" ]; then
mkdir "$HOME/.gnupg"
fi
if [ ! -f "$HOME/.gnupg/gpg.conf ]; then
chown -R "$(whoami)" "$HOME/.gnupg/"
find "$HOME/.gnupg" -type f -exec chmod 600 {} \;
find "$HOME/.gnupg" -type d -exec chmod 700 {} \;
if [ ! -f "$HOME/.gnupg/gpg.conf" ]; then
logg 'Downloading hardened gpg.conf file to ~/.gpnupg/gpg.conf'
mkdir -p "$HOME/.gnupg
curl -sSL {{ .config.gpg }} > "$HOME/.gnupg/gpg.conf"
chmod 600 "$HOME/.gnupg/gpg.conf
curl -sSL "{{ .config.gpg }}" > "$HOME/.gnupg/gpg.conf"
chmod 600 "$HOME/.gnupg/gpg.conf"
fi
logg 'Attempting to download the specified public GPG key ({{ .user.gpg.id }}) from public keyservers'
KEYID_TRIMMED="$(echo "$KEYID" | sed 's/^0x//')"
if ! gpg --list-secret-keys --keyid-format=long | grep "$KEYID_TRIMMED" > /dev/null; then
logg info 'Attempting to download the specified public GPG key (`{{ .user.gpg.id }}`) from public keyservers'
gpg --recv "$KEYID"
logg 'Automatically setting the trust of the public GPG key to maximum'
else
logg info 'Key is already in keyring'
fi
logg 'Ensuring the trust of the provided public GPG key is set to maximum'
echo -e "trust\n5\ny" | gpg --command-fd 0 --edit-key "$KEYID"
else
logg warn '`gpg` is unavailable in the PATH'
logg warn '`gpg` appears to be unavailable. Is it installed and on the PATH?'
fi

View file

@ -5,11 +5,11 @@
if command -v brew > /dev/null; then
logg 'Installing base dependencies for macOS using `brew bundle`'
logg info 'Dependencies: age asdf jq node go-task/tap/go-task volta yq m-cli zx'
logg info 'Dependencies: asdf jq node go-task/tap/go-task volta yq m-cli zx'
logg info 'GNU compatibility dependencies: coreutils findutils gawk gnu-getopt gnu-indent gnu-tar gnu-sed gnutls grep'
brew bundle --verbose --no-lock --file=/dev/stdin <<EOF
{{ includeTemplate "darwin/Brewfile" . }}
{{ includeTemplate "darwin/Brewfile" . -}}
EOF
else
logg error '`brew` was not found in the PATH'