Add bun + pi-coding-agent + oh-my-pi to bootstrap; age encryption
Three parts:
1. .chezmoi.yaml.tmpl: reworked age config block
- recipients moved under 'age:' key (correct structure per chezmoi docs)
- identity: ~/.config/chezmoi/key.txt
- recipients list with recovery key + miche per-machine key
- recovery key pubkey: age1yyq42ctqwp5s5yd64week3aav9getk3p8aeyr5n5454d0v59a4dsjljsgs
- miche pubkey: age1eja7trs8mmsgf0qga0h5fsdltaryxgk4ksumshar5xxtdx0exy3q0a5hc5
- placeholders for byte/kaiser/rye/crouton (TODO: generate per-box keys
and add when bootstrapping those boxes)
2. private_dot_omp/agent/: omp/oh-my-pi config from byte
- config.yml (1.7KB) — model roles, fallback chains, theme, tools
- mcp.json (351B) — firecrawl MCP server config
- zai.key.age (540B) — zai-coding provider API key, age-encrypted to
recovery + miche recipients. Decrypts to live ~/.omp/agent/zai.key
on apply.
3. run_once_20: install bun + pi-coding-agent on both OSes
- arch: bun from pacman (now in [extra])
- debian: bun via curl-install to ~/.local (not in apt)
- both: bun add -g @oh-my-pi/pi-coding-agent → omp binary in ~/.bun/bin
- .zshrc.tmpl already adds ~/.bun/bin to PATH
To onboard a new box:
1. ssh into the box
2. age-keygen -o ~/.config/chezmoi/key.txt
3. paste the public key into .chezmoi.yaml.tmpl recipients
4. chezmoi age rekey # rewrites *.age files to include new recipient
5. commit + push
6. chezmoi init --apply # decrypts and writes zai.key live
This commit is contained in:
parent
6160efeb23
commit
dc72dc3a9a
5 changed files with 156 additions and 5 deletions
|
|
@ -11,11 +11,42 @@
|
|||
encryption: "age"
|
||||
sourceDir: {{ .chezmoi.sourceDir | quote }}
|
||||
|
||||
# When you have age secrets, uncomment and add recipient public keys here.
|
||||
# recipients:
|
||||
# - age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
|
||||
# - age1miche_pubkey_placeholder
|
||||
# - age1byte_pubkey_placeholder
|
||||
# age config — see https://www.chezmoi.io/user-guide/encryption/age/
|
||||
#
|
||||
# To bootstrap age on a new box:
|
||||
# 1. Generate a recovery key (offline, store secret in password manager):
|
||||
# age-keygen -o ~/.config/chezmoi/keys/recovery.key
|
||||
# Add the printed public key below as a recipient.
|
||||
# 2. Generate a per-machine key on each box:
|
||||
# age-keygen -o ~/.config/chezmoi/key.txt
|
||||
# Add its public key below, then `chezmoi age rekey` to rewrite *.age files.
|
||||
#
|
||||
# To encrypt a new secret:
|
||||
# echo 'secret' | chezmoi encrypt --output private_dot_.../<name>.age
|
||||
#
|
||||
# To decrypt (auto, on apply):
|
||||
# chezmoi uses ~/.config/chezmoi/key.txt (per-machine) by default.
|
||||
|
||||
age:
|
||||
identity: "~/.config/chezmoi/key.txt"
|
||||
|
||||
# Multiple recipients: every listed recipient can decrypt every *.age file.
|
||||
# Add a new recipient by pasting their public key below, then
|
||||
# `chezmoi age rekey` to rewrite existing files with the new recipient.
|
||||
recipients:
|
||||
# Recovery key — secret stored offline (password manager, USB stick).
|
||||
# Don't lose this: it's the only way to recover secrets if every
|
||||
# machine key is lost.
|
||||
- age1yyq42ctqwp5s5yd64week3aav9getk3p8aeyr5n5454d0v59a4dsjljsgs
|
||||
|
||||
# Per-machine keys — one per box. Generate on the box itself with
|
||||
# `age-keygen -o ~/.config/chezmoi/key.txt`, paste its public key
|
||||
# here, then `chezmoi age rekey`.
|
||||
- age1eja7trs8mmsgf0qga0h5fsdltaryxgk4ksumshar5xxtdx0exy3q0a5hc5 # miche (Strix Halo GPU host)
|
||||
# - age1byte_pubkey_placeholder # byte (CachyOS laptop)
|
||||
# - age1kaiser_pubkey_placeholder # kaiser (services host)
|
||||
# - age1rye_pubkey_placeholder # rye (Debian Pi)
|
||||
# - age1crouton_pubkey_placeholder # crouton (Debian Pi)
|
||||
|
||||
data:
|
||||
os_family: {{ $osFamily | quote }}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue