Update how secrets are encrypted and change keys

4 days ago · a36cf334f9
parent b5a4d540ed
commit a36cf334f9
9 changed files with 568 additions and 539 deletions
--- a/.chezmoi.toml.tmpl
+++ b/.chezmoi.toml.tmpl
@ -4,17 +4,18 @@
 {{- $git_name := promptStringOnce . "git_name" "name to use in git config" -}}
 {{- $include_legacy := promptBoolOnce . "include_legacy" "include old scripts [false]" -}}
 {{- $work := promptBoolOnce . "work" "include work tools [false]" -}}
+{{- $age_key := promptStringOnce . "age_key" "age public key of recipient" -}}

 encryption = "age"

 [age]
-identity = "{{ .chezmoi.homeDir }}/.config/chezmoi/key.txt"
-recipient = "age166qk8xkvd5cx2mqfxenw0mvmg4ghv7jzg8ffr0f0dave5lwzm38qswha8c"
+identity = "{{ .chezmoi.homeDir }}/.config/chezmoi/{{ $age_key }}.key"
+recipient = "{{ $age_key }}"

 [data]
+age_key = "{{ $age_key }}"
 development = {{ $development }}
 git_email = "{{ $git_email }}"
 git_name = "{{ $git_name }}"
 personal_dev = {{ $personal_dev }}
 include_legacy = {{ $include_legacy }}
-work = {{ $work }}
--- a/.chezmoiignore
+++ b/.chezmoiignore
@ -5,7 +5,7 @@
 {{- if not .include_legacy }}
 /.local/share/duck-encoder
 {{- end }}
-{{- if not .work }}
+{{- if ne .age_key "age1htqslfl4d5uv76j8eg49u9njqjx5udj9jmg3ujf2gxjjm06z0vqqwz6tlm" }}
 /.config/nushell/lib/work/mod.nu
 /.config/git/config.d/work
 {{- end }}
--- a/dot_config/git/config.d/encrypted_work.age
+++ b/dot_config/git/config.d/encrypted_work.age
@ -1,9 +1,9 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxa3Z2UHgyVmJzZndaSGNT
-SXd3SGNXY1pNbkFBdTFqZ1Z1UlgxN0QwcTBvCnZQME5JMU1pd00yejVJS1d5L2R1
-Z3ZSdnRNd01Ha29lQWMwT216by80UTAKLS0tIERSY1V0YXhCWCtrSEs5dFNEMDRq
-UmtJU2tQNGt6bS9KeVIwUzlUTnVvWU0KKXRVCJLDVMMwKvJepTsQ/E3+dHgexzpA
-pdXN/5jOogXvHcNdCy/aKWc11PF4M4ee2S8Y8EqbM2UUuq8dmMJZLx0dvb5wzr52
-dm4WAnkKY5vF2sD6R+M9HxaeU9jVByNzCp6xftwqYYh0cYoKT+uJgwGXv7kpsl6B
-yLYgdXMakkxeIswo46LQ7HP1eYqzRQmXU1zs1idPuQAJ
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwUTFyVUg4VmFtbEVnNXkw
+eHVJczNDdHViaDlyc0owZi9QNmNBS3U0YkY0ClNEd1hmWnBPQ3pTRnZpaWFCdEQ4
+SUZncEpMdkpnRWVjUy9FbFdLZkJ6Wk0KLS0tIENsNkFlalBWNnYxcVF4VnNTbkd1
+VWV4ZHNIWUpiek56bFdaK2R2TzkwSXcK1+UZP1EGZsQM1OiEbmRRb/6X1RjQiAdK
+ZA4dN4s84E0zJYDeIDU7U6AVi+GM8yeNvMDcEavkHtYgFGiFrZ2WspAaBlCm8RXw
+u9SAaxRwfD1pqRnZVPxxlP6JUmdV3BfzM5L2ifAauXczXKjXWbVWU/7zXGDChKvz
+jFySos+dEcLX7opddonoJxe3S/TtYuKk18gQuVx/YF9t
 -----END AGE ENCRYPTED FILE-----
--- a/dot_config/git/template/hooks/executable_prepare-commit-msg.tmpl
+++ b/dot_config/git/template/hooks/executable_prepare-commit-msg.tmpl
@ -1,7 +1,7 @@
 // chezmoi:template:left-delimiter="/*{{"
 // chezmoi:template:right-delimiter="}}*/"
 /*{{- /* vim: set filetype=javascript: */ -}}*/
-/*{{ if and .work (lookPath "node") -}}*/
+/*{{ if lookPath "node" -}}*/
 #!/usr/bin/env node

 const fs = require("fs");
--- a/dot_config/nushell/config.nu.tmpl
+++ b/dot_config/nushell/config.nu.tmpl
@ -5,7 +5,7 @@ source xdg.nu

 use themes.nu
 use completions *
-#{{- if .work }}
+#{{- if eq .age_key "age1htqslfl4d5uv76j8eg49u9njqjx5udj9jmg3ujf2gxjjm06z0vqqwz6tlm" }}
 overlay use work
 #{{- end }}

--- a/dot_config/nushell/lib/work/encrypted_mod.nu.age
+++ b/dot_config/nushell/lib/work/encrypted_mod.nu.age
--- a/dot_config/profile/env.d/encrypted_openapi.env.age
+++ b/dot_config/profile/env.d/encrypted_openapi.env.age
@ -1,8 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTMlUzMEdOK0h2SlB0eG1G
-N2E2N2ZVNWN1ZVJFbGNLRm05NWtINjY0VmxnCkp6Q3NMSURsOWNlZmZKUjFJZDNX
-Zk5EU1dVa0JNNDQ0TVBYSDM0QmJFdHcKLS0tIEFxVTlyd21zQmdnbGpLeE4vOWJ4
-elVualRPSGgrb1Fub3FMRmRlaFVSYWcKWEE8MKGcsEhZshxM17468m5xlDaGH66f
-J2cbjyBRIG1wcVgpCSAPRw8Vd1wUIWJFnyFzyiwnrHcPBM+M/JNZDmadNOAyADhc
-MgqPsEeD2k1Kcro3zthL0kl4+TNEremTZ9Zx
-----END AGE ENCRYPTED FILE-----
--- a/key.txt.age
+++ b/key.txt.age
@ -1,10 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNjcnlwdCBFVFQ2SE1pUWErTFdnQXJX
-UndQMjFRIDE4ClFOcDFwWDUyekRBRi8vZmxzTTRFa0wxZmNjRmhnL3BlTzFqN1p5
-VFZsdFUKLS0tIExrdG5ZUFAraUlnSEpCTnVEL3FZcGc3MzBBbXF2aFhodklOVlk5
-Zno5QnMKfWGrVFWWJvWPxoeP/tUF3ZM6sG1eFPWf97e+K9iopntaGcrvY83H+mrc
-lSdTVNplSm/Erq6u+UuAi8OeKE8G/Uf4vDXfuoww0dfbTpRDQPx+rAf3/kMVlgPt
-qvyhZzjaNeHV3+LKOlH9DnOGxr9an+zbndfOOid3f0YWSyVk41B04RGOdZe2w+3D
-ZUxon0+4lYzBv5snj6QVmdLqZPUiTWFpenXSwafr6LoYG51D8HEYsm53eJ7ZPq12
-oBIa+inji8v+B6zqIkKklF9qYGbub9SrwSyN9FKzrRmmbR0=
-----END AGE ENCRYPTED FILE-----
--- a/run_once_before_decrypt-private-key.sh.tmpl
+++ b/run_once_before_decrypt-private-key.sh.tmpl
@ -1,9 +0,0 @@
-#!/usr/bin/env bash
-
-if [ ! -f "{{ .chezmoi.homeDir }}/.config/chezmoi/key.txt" ]; then
-	mkdir -p "{{ .chezmoi.homeDir }}/.config/chezmoi"
-	chezmoi age decrypt \
-		--output "{{ .chezmoi.homeDir }}/.config/chezmoi/key.txt" \
-		--passphrase "{{ .chezmoi.sourceDir }}/key.txt.age"
-	chmod 600 "{{ .chezmoi.homeDir }}/.config/chezmoi/key.txt"
-fi