From 6507310b6f2c87bffe99c535bc1be6b5a0ee0faf Mon Sep 17 00:00:00 2001 From: Buddy Sandidge Date: Mon, 9 Dec 2024 13:18:41 -0800 Subject: [PATCH] Use encrypted files instead of bws --- .chezmoi.toml.tmpl | 5 +++ .chezmoiignore | 5 +++ dot_config/profile/env.d/atlassian.env.tmpl | 5 --- dot_config/profile/env.d/cloudflare.env.tmpl | 6 ---- .../profile/env.d/encrypted_hellotech.env.age | 16 ++++++++++ .../profile/env.d/encrypted_openapi.env.age | 8 +++++ dot_config/profile/env.d/linear_app.env.tmpl | 5 --- dot_config/profile/env.d/openapi.env.tmpl | 5 --- dot_config/profile/env.d/pulumi.env.tmpl | 5 --- .../profile/profile.d/encrypted_trubka.sh.age | 29 +++++++++++++++++ dot_config/profile/profile.d/trubka.sh.tmpl | 32 ------------------- key.txt.age | 10 ++++++ run_once_before_decrypt-private-key.sh.tmpl | 9 ++++++ 13 files changed, 82 insertions(+), 58 deletions(-) delete mode 100644 dot_config/profile/env.d/atlassian.env.tmpl delete mode 100644 dot_config/profile/env.d/cloudflare.env.tmpl create mode 100644 dot_config/profile/env.d/encrypted_hellotech.env.age create mode 100644 dot_config/profile/env.d/encrypted_openapi.env.age delete mode 100644 dot_config/profile/env.d/linear_app.env.tmpl delete mode 100644 dot_config/profile/env.d/openapi.env.tmpl delete mode 100644 dot_config/profile/env.d/pulumi.env.tmpl create mode 100644 dot_config/profile/profile.d/encrypted_trubka.sh.age delete mode 100644 dot_config/profile/profile.d/trubka.sh.tmpl create mode 100644 key.txt.age create mode 100644 run_once_before_decrypt-private-key.sh.tmpl diff --git a/.chezmoi.toml.tmpl b/.chezmoi.toml.tmpl index e1d7ff1..8029113 100644 --- a/.chezmoi.toml.tmpl +++ b/.chezmoi.toml.tmpl @@ -3,6 +3,11 @@ {{- $include_legacy := promptBoolOnce . "include_legacy" "include old scripts [false]" -}} {{- $bws_token := promptStringOnce . "bws_token" "BitWarden Secrets Manager Access Token" -}} +encryption = "age" +[age] +identity = "{{ .chezmoi.homeDir }}/.config/chezmoi/key.txt" +recipient = "age166qk8xkvd5cx2mqfxenw0mvmg4ghv7jzg8ffr0f0dave5lwzm38qswha8c" + [data] bws_token = {{ $bws_token | quote }} development = {{ $development }} diff --git a/.chezmoiignore b/.chezmoiignore index 6212704..eb851ee 100644 --- a/.chezmoiignore +++ b/.chezmoiignore @@ -1,6 +1,11 @@ /.idea /README.md /scripts/ +/key.txt.age {{- if not .include_legacy }} /.local/share/duck-encoder {{- end }} +{{- if not .hellotech }} +/.config/profile/env.d/hellotech.env +/.config/profile/profile.d/trubka.sh +{{- end }} diff --git a/dot_config/profile/env.d/atlassian.env.tmpl b/dot_config/profile/env.d/atlassian.env.tmpl deleted file mode 100644 index fbcc996..0000000 --- a/dot_config/profile/env.d/atlassian.env.tmpl +++ /dev/null @@ -1,5 +0,0 @@ -# chezmoi:template:left-delimiter=#{{ -#{{- /* vim: set filetype=sh: */ -}} -#{{- if and .hellotech .bws_token -}} -ATLASSIAN_TOKEN=#{{ (bitwardenSecrets "70fbcffa-2cb1-4ddf-9b1f-b18c015c9ba9" .bws_token).value }} -#{{- end }} diff --git a/dot_config/profile/env.d/cloudflare.env.tmpl b/dot_config/profile/env.d/cloudflare.env.tmpl deleted file mode 100644 index dff81a9..0000000 --- a/dot_config/profile/env.d/cloudflare.env.tmpl +++ /dev/null @@ -1,6 +0,0 @@ -# chezmoi:template:left-delimiter=#{{ -#{{- /* vim: set filetype=sh: */ -}} -#{{- if and .hellotech .bws_token -}} -CLOUDFLARE_EMAIL=#{{ (bitwardenSecrets "fbc453ba-4c18-4471-82a3-b18c015e40c5" .bws_token).value }} -CLOUDFLARE_KEY=#{{ (bitwardenSecrets "c8aff966-4232-4629-8a08-b18c015e5da8" .bws_token).value }} -#{{- end }} diff --git a/dot_config/profile/env.d/encrypted_hellotech.env.age b/dot_config/profile/env.d/encrypted_hellotech.env.age new file mode 100644 index 0000000..c339221 --- /dev/null +++ b/dot_config/profile/env.d/encrypted_hellotech.env.age @@ -0,0 +1,16 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZ3V6RUc4c1hFV1dITjdB +elljUSt0ZUxVT0FLeWZuc05RT25DUUtvcFRZClZRVFh4bGp1eWhCYWJ0cG5MMWpB +dUlLdzZTZHBxSXVzL1IxczI5SFdOQ2MKLS0tIHZ4N3NpS1dWZElla1ZmejNKeGxF +dHorbHV6d1kwZ1pwRlB2ZDVCNnBxWGcK1IAjC/PhDxzizYfd2uvkmhgALMUpxdAd +5QZke6zi6cDhHzHpg68I4p+afdKCGgtSMZ1dGrCqVlKIBkqzcjET9SJLHbmbncU+ +qXC+sjWQUXqUGS8ZOYsRiLEtYQgpqSA672lYYud/8YSJlDJfc9wekcfgZX7MQWJz +mgcXl+WA1aqf4FVVtXp06o93hKtqIjO84oV6bEOLL0P2mLc5+GEwuvuDMQLsYlL2 +oKZamHTNRNjq2cFVZ6hqZlU7yXBk+mUKATS7SI14dQzFRi/rqSi+/t2TJ2eNU+B5 +cTBs9spaXoKUhEctMG5Riz6wM1/kYWRNlB7s3DauHV31p6pUf3rwUjT185wfdKKP +DHIKLGx2zisXpmp2bLRnYSjHEoKYfAIZkTUZnQ0zzZJ2juJzj8cc8X3j6WlHzj7f +KVgWZPqbDD6FsI7WNzYSop8B35zY+V0kO037Gaq5q0NUtKwkwffpOQ05tBkF1PVK +Pwl4ZBCtsZcw+KZ243gWTgDBsqHrbDq0KuTM1e1h8t4i5KcOqv5NU4pTZrgdgvl3 +IxdwAzOKxyuQsgp46vcgF+4YC88fukjzfNpkSncARFvn1/fSIt1y8UEOyYte1TUw +uFEDifSZwHmD +-----END AGE ENCRYPTED FILE----- diff --git a/dot_config/profile/env.d/encrypted_openapi.env.age b/dot_config/profile/env.d/encrypted_openapi.env.age new file mode 100644 index 0000000..d8453a0 --- /dev/null +++ b/dot_config/profile/env.d/encrypted_openapi.env.age @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTMlUzMEdOK0h2SlB0eG1G +N2E2N2ZVNWN1ZVJFbGNLRm05NWtINjY0VmxnCkp6Q3NMSURsOWNlZmZKUjFJZDNX +Zk5EU1dVa0JNNDQ0TVBYSDM0QmJFdHcKLS0tIEFxVTlyd21zQmdnbGpLeE4vOWJ4 +elVualRPSGgrb1Fub3FMRmRlaFVSYWcKWEE8MKGcsEhZshxM17468m5xlDaGH66f +J2cbjyBRIG1wcVgpCSAPRw8Vd1wUIWJFnyFzyiwnrHcPBM+M/JNZDmadNOAyADhc +MgqPsEeD2k1Kcro3zthL0kl4+TNEremTZ9Zx +-----END AGE ENCRYPTED FILE----- diff --git a/dot_config/profile/env.d/linear_app.env.tmpl b/dot_config/profile/env.d/linear_app.env.tmpl deleted file mode 100644 index ec58d5a..0000000 --- a/dot_config/profile/env.d/linear_app.env.tmpl +++ /dev/null @@ -1,5 +0,0 @@ -# chezmoi:template:left-delimiter=#{{ -#{{- /* vim: set filetype=sh: */ -}} -#{{- if and .hellotech .bws_token -}} -LINEAR_APP_TOKEN=#{{ (bitwardenSecrets "76693d18-eeb1-4019-976d-b18c015f7048" .bws_token).value }} -#{{- end }} diff --git a/dot_config/profile/env.d/openapi.env.tmpl b/dot_config/profile/env.d/openapi.env.tmpl deleted file mode 100644 index da9f18d..0000000 --- a/dot_config/profile/env.d/openapi.env.tmpl +++ /dev/null @@ -1,5 +0,0 @@ -# chezmoi:template:left-delimiter=#{{ -#{{- /* vim: set filetype=sh: */ -}} -#{{- if .bws_token -}} -OPENAI_API_KEY=#{{ (bitwardenSecrets "579bd247-2357-4817-a033-b18c0161b7f1" .bws_token).value }} -#{{- end }} diff --git a/dot_config/profile/env.d/pulumi.env.tmpl b/dot_config/profile/env.d/pulumi.env.tmpl deleted file mode 100644 index ec36fbc..0000000 --- a/dot_config/profile/env.d/pulumi.env.tmpl +++ /dev/null @@ -1,5 +0,0 @@ -# chezmoi:template:left-delimiter=#{{ -#{{- /* vim: set filetype=sh: */ -}} -#{{- if and .hellotech .bws_token -}} -PULUMI_ACCESS_TOKEN=#{{ (bitwardenSecrets "4688eb1b-e889-468f-ba40-b18c01607ae8" .bws_token).value }} -#{{- end }} diff --git a/dot_config/profile/profile.d/encrypted_trubka.sh.age b/dot_config/profile/profile.d/encrypted_trubka.sh.age new file mode 100644 index 0000000..4c5731c --- /dev/null +++ b/dot_config/profile/profile.d/encrypted_trubka.sh.age @@ -0,0 +1,29 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByVFlFRHRvWStKMTZyOEpo +RGIzanlLNjVpbCtYUStVUFdVbWlRYndVdEVjCk8xbGZGWUZkQmRxaW9mcWx4clk4 +VlUrRERybGViNENQOHVHcTdCckwxNW8KLS0tIDBvbUNnc3pPUjh6aVQ3R2hYS09I +aEJWV2J5TzZDcmt3NktmY0ZiT2Z5MWsKG8kpxjFDk8/3vFyMytpxXVHZaansazav +yJ7fAgTWFW/uCf1ktzLtaQLHMl7Jd1BuVildgTIIX7dcDNEFcLF9p4+lputdO9E1 +NjjxXv8l/srRK1KjGf5tDrtPzD0QMgm4FMtO3c8on83S2T0J79VR8SdexCUKPNbd +/QUjm8PwMd6sv+4pEU+awEPgEagh0u4gZ858jF8Z+lwm83ZZflxEbxwyjWA70Ll8 +2XN5BwL5xKxGZ1ydAjlGL+FKhBUvQBesi4+PnXSChhkUSIHVp5ad3mk1FWMAXUAs +moM8kxoko4R9MhXkrzh3xXcqAwvWhruW1kVz7pi9sYusTvY9r1xKZUdGybTPDNe/ +duwtxurYZecgKlFa2iUGVrzEflUNiySDWcpwnAYQ77Bm4r89SjsXrPi8QJZe0fL0 +rpl7FuqLv9+eA2S4E4ojSg7u4imy2i+gEoN+BRH1nGeWSWSIs3iwI02KsB0Q3MAo +N4dOMlQC80FOyY/pp75JVaIdekJf+kmXBXGphCo21glHYpeUuQ4UTt8YNNUBQQVe +IF8XvXdaqpmrXMo8DRYMEe/vthT7zKGdfhyDuKrHVcO3mz7ZSTi3oxOe3fRvrtNA +LcmnuCnLqUEGH6YKWHtbD5bud1juyb1yg4OPQioKd/z7rSaxCxynza50CdFxUJcs +EoD2t9wBV2qWTUtXFZen4XL7PsG2P3NxGVh3uqXemgs0MFJ7huuro/mNb9WhhgPm +KfqbkpuOLrQWLpSuimwYi/3hksAV/Ca64Igp8ApkZjSV9GwHzmXnI6bfOWLDCeuL +qUTulOwiN6AVsBGUH3Mek913tYa2TsWhpt/ukOOZeO5tGPBxI/v6DfU6636k/ojE +Dd2QxfDfTWuR//sf+Aj5++SIPAzAXxk3qAA3kmhad1knBcnVUkT6yiUuFmoxy7Vi +K72lvcCP7yiSpC87vTVeyc8pvEOJX4ruaE/1YNYpRWnGGpe8kI7yWXRSCvWMXCOK +1C1lUXOs3Xyl+r1gQKgT/FTdYtJmXKDiqRRcDJlr1fM8GDUJ3xTMTQovYdv4B/En +SljbSuyLL7xtB/tbQfcwH9j9loMOidrfDARlYlSxRIiMz1WIPDACTbwa55jk4s2o +tsVj6kNsZyj41PBPayND+hbKqGlCORecRv769C+ZoEUAyc4l9HZIHMbzzsbYDV1t +3MpIpFJtAwBCT9FFFzHDB0JDwByt1J0VWsNoBIj2gdkXIRZhjEibgIGDL9a0xA7N +dKShV5kShaFlApu/4TfXRZQw7RMMPC7tVtrlZRJaKdymPjnR3KZ61HbC/raGlAhS +gEwhD7HTbCQ5utxXMXVn7KcQ3AGcHzF8i0fU9dF/dLFsiN3mQD5FWdiKXdx7ItNU +Wa+RPHMBrkJkjRkANk9I2XJjD7iwKnjccXGrP5DIz+4/oEpvLfqW0oDq2n0uWr+l +rkCpI8bhAJxj+PuYLOaNvDHGyqfgp46XsjVFoLR5Yae51f3iwazaqQ== +-----END AGE ENCRYPTED FILE----- diff --git a/dot_config/profile/profile.d/trubka.sh.tmpl b/dot_config/profile/profile.d/trubka.sh.tmpl deleted file mode 100644 index 59d0753..0000000 --- a/dot_config/profile/profile.d/trubka.sh.tmpl +++ /dev/null @@ -1,32 +0,0 @@ -# chezmoi:template:left-delimiter=#{{ -#{{- /* vim: set filetype=sh: */ -}} -#{{- if and .hellotech .bws_token -}} - -config_trubka_buddy () { - export TRUBKA_BROKERS=#{{ (bitwardenSecrets "9598a627-0d32-4398-98fb-b18c014b9d7d" .bws_token).value }} - export TRUBKA_TLS=true - export TRUBKA_PROTO_ROOT=#{{ .chezmoi.homeDir }}/hellotech/entities - export TRUBKA_SASL_USERNAME=#{{ (bitwardenSecrets "6fc85366-d6bc-438f-a75b-b18c014c7d77" .bws_token).value }} - export TRUBKA_SASL_PASSWORD=#{{ (bitwardenSecrets "d8153476-d170-4d86-9804-b18c014c9a7b" .bws_token).value }} - export TRUBKA_SASL_MECHANISM=plain -} - -config_trubka_dev () { - export TRUBKA_BROKERS=#{{ (bitwardenSecrets "59d193cb-1b62-42cf-a753-b18c014cd5f6" .bws_token).value }} - export TRUBKA_TLS=true - export TRUBKA_PROTO_ROOT=#{{ .chezmoi.homeDir }}/hellotech/entities - export TRUBKA_SASL_USERNAME=#{{ (bitwardenSecrets "123253f2-f720-4a56-af15-b18c014cf26b" .bws_token).value }} - export TRUBKA_SASL_PASSWORD=#{{ (bitwardenSecrets "4cb2b59b-11ca-4cc2-a9e5-b18c014d11fd" .bws_token).value }} - export TRUBKA_SASL_MECHANISM=plain -} - -config_trubka_prod () { - export TRUBKA_BROKERS=#{{ (bitwardenSecrets "1e295c46-34b6-4ee9-b801-b18c014d3102" .bws_token).value }} - export TRUBKA_TLS=true - export TRUBKA_PROTO_ROOT=#{{ .chezmoi.homeDir }}/hellotech/entities - export TRUBKA_SASL_USERNAME=#{{ (bitwardenSecrets "9d5de1a1-796d-4208-a5a7-b18c014d4e8e" .bws_token).value }} - export TRUBKA_SASL_PASSWORD=#{{ (bitwardenSecrets "a7c38ba6-95be-42c0-8ed8-b18c014d6acf" .bws_token).value }} - export TRUBKA_SASL_MECHANISM=plain -} - -#{{- end }} diff --git a/key.txt.age b/key.txt.age new file mode 100644 index 0000000..bf07297 --- /dev/null +++ b/key.txt.age @@ -0,0 +1,10 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNjcnlwdCBFVFQ2SE1pUWErTFdnQXJX +UndQMjFRIDE4ClFOcDFwWDUyekRBRi8vZmxzTTRFa0wxZmNjRmhnL3BlTzFqN1p5 +VFZsdFUKLS0tIExrdG5ZUFAraUlnSEpCTnVEL3FZcGc3MzBBbXF2aFhodklOVlk5 +Zno5QnMKfWGrVFWWJvWPxoeP/tUF3ZM6sG1eFPWf97e+K9iopntaGcrvY83H+mrc +lSdTVNplSm/Erq6u+UuAi8OeKE8G/Uf4vDXfuoww0dfbTpRDQPx+rAf3/kMVlgPt +qvyhZzjaNeHV3+LKOlH9DnOGxr9an+zbndfOOid3f0YWSyVk41B04RGOdZe2w+3D +ZUxon0+4lYzBv5snj6QVmdLqZPUiTWFpenXSwafr6LoYG51D8HEYsm53eJ7ZPq12 +oBIa+inji8v+B6zqIkKklF9qYGbub9SrwSyN9FKzrRmmbR0= +-----END AGE ENCRYPTED FILE----- diff --git a/run_once_before_decrypt-private-key.sh.tmpl b/run_once_before_decrypt-private-key.sh.tmpl new file mode 100644 index 0000000..2e1702d --- /dev/null +++ b/run_once_before_decrypt-private-key.sh.tmpl @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +if [ ! -f "{{ .chezmoi.homeDir }}/.config/chezmoi/key.txt" ]; then + mkdir -p "{{ .chezmoi.homeDir }}/.config/chezmoi" + chezmoi age decrypt \ + --output "{{ .chezmoi.homeDir }}/.config/chezmoi/key.txt" \ + --passphrase "{{ .chezmoi.sourceDir }}/key.txt.age" + chmod 600 "{{ .chezmoi.homeDir }}/.config/chezmoi/key.txt" +fi