rain/gnu-plus-dotfiles
rain/gnu-plus-dotfiles
1
0
Fork 0
Code Wiki Activity

Add bun + pi-coding-agent + oh-my-pi to bootstrap; age encryption

Browse source 
Three parts:

1. .chezmoi.yaml.tmpl: reworked age config block
   - recipients moved under 'age:' key (correct structure per chezmoi docs)
   - identity: ~/.config/chezmoi/key.txt
   - recipients list with recovery key + miche per-machine key
   - recovery key pubkey: age1yyq42ctqwp5s5yd64week3aav9getk3p8aeyr5n5454d0v59a4dsjljsgs
   - miche pubkey: age1eja7trs8mmsgf0qga0h5fsdltaryxgk4ksumshar5xxtdx0exy3q0a5hc5
   - placeholders for byte/kaiser/rye/crouton (TODO: generate per-box keys
     and add when bootstrapping those boxes)

2. private_dot_omp/agent/: omp/oh-my-pi config from byte
   - config.yml (1.7KB) — model roles, fallback chains, theme, tools
   - mcp.json (351B) — firecrawl MCP server config
   - zai.key.age (540B) — zai-coding provider API key, age-encrypted to
     recovery + miche recipients. Decrypts to live ~/.omp/agent/zai.key
     on apply.

3. run_once_20: install bun + pi-coding-agent on both OSes
   - arch: bun from pacman (now in [extra])
   - debian: bun via curl-install to ~/.local (not in apt)
   - both: bun add -g @oh-my-pi/pi-coding-agent → omp binary in ~/.bun/bin
   - .zshrc.tmpl already adds ~/.bun/bin to PATH

To onboard a new box:
  1. ssh into the box
  2. age-keygen -o ~/.config/chezmoi/key.txt
  3. paste the public key into .chezmoi.yaml.tmpl recipients
  4. chezmoi age rekey   # rewrites *.age files to include new recipient
  5. commit + push
  6. chezmoi init --apply  # decrypts and writes zai.key live
This commit is contained in:
Rain 2026-06-22 00:10:34 -04:00
parent 6160efeb23
commit dc72dc3a9a
5 changed files with 156 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

41
.chezmoi.yaml.tmpl
View file

@ -11,11 +11,42 @@
encryption: "age" encryption: "age"
sourceDir: {{ .chezmoi.sourceDir | quote }} sourceDir: {{ .chezmoi.sourceDir | quote }}
# When you have age secrets, uncomment and add recipient public keys here. # age config — see https://www.chezmoi.io/user-guide/encryption/age/
# recipients: #
# - age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p # To bootstrap age on a new box:
# - age1miche_pubkey_placeholder # 1. Generate a recovery key (offline, store secret in password manager):
# - age1byte_pubkey_placeholder # age-keygen -o ~/.config/chezmoi/keys/recovery.key
# Add the printed public key below as a recipient.
# 2. Generate a per-machine key on each box:
# age-keygen -o ~/.config/chezmoi/key.txt
# Add its public key below, then `chezmoi age rekey` to rewrite *.age files.
#
# To encrypt a new secret:
# echo 'secret' | chezmoi encrypt --output private_dot_.../<name>.age
#
# To decrypt (auto, on apply):
# chezmoi uses ~/.config/chezmoi/key.txt (per-machine) by default.
age:
identity: "~/.config/chezmoi/key.txt"
# Multiple recipients: every listed recipient can decrypt every *.age file.
# Add a new recipient by pasting their public key below, then
# `chezmoi age rekey` to rewrite existing files with the new recipient.
recipients:
# Recovery key — secret stored offline (password manager, USB stick).
# Don't lose this: it's the only way to recover secrets if every
# machine key is lost.
- age1yyq42ctqwp5s5yd64week3aav9getk3p8aeyr5n5454d0v59a4dsjljsgs
# Per-machine keys — one per box. Generate on the box itself with
# `age-keygen -o ~/.config/chezmoi/key.txt`, paste its public key
# here, then `chezmoi age rekey`.
- age1eja7trs8mmsgf0qga0h5fsdltaryxgk4ksumshar5xxtdx0exy3q0a5hc5 # miche (Strix Halo GPU host)
# - age1byte_pubkey_placeholder # byte (CachyOS laptop)
# - age1kaiser_pubkey_placeholder # kaiser (services host)
# - age1rye_pubkey_placeholder # rye (Debian Pi)
# - age1crouton_pubkey_placeholder # crouton (Debian Pi)
data: data:
os_family: {{ $osFamily | quote }} os_family: {{ $osFamily | quote }}

65
private_dot_omp/agent/config.yml Normal file
View file

@ -0,0 +1,65 @@
providers:
webSearch: searxng
searxng:
endpoint: http://kaiser.local:8800
symbolPreset: nerd
theme:
dark: dark-gruvbox
light: light
setupVersion: 1
modelRoles:
default: minimax-code/MiniMax-M3:high
task: llama-swap.miche/qwen3.6-27b-mtp-rocmfp4-turbo
smol: llama-swap.miche/qwen3.6-35b-a3b-mtp-rocmfp4
plan: zai-coding/glm-5.2:xhigh
slow: minimax-code/MiniMax-M3:high
vision: llama-swap.miche/gemma4-12b
retry:
fallbackChains:
default:
- zai-coding/glm-5.2
- minimax-code/MiniMax-M3
- deepseek/deepseek-v4-pro
- llama-swap.miche/qwen3.6-27b-mtp-rocmfp4-turbo
- llama-swap.byte/qwen3.6-27b-mtp
task:
- llama-swap.miche/qwen3.6-27b-mtp-rocmfp4-turbo
- llama-swap.byte/qwen3.6-27b-mtp
- zai-coding/glm-5.2
- minimax-code/MiniMax-M3
smol:
- llama-swap.miche/qwen3.6-35b-a3b-mtp-rocmfp4
- llama-swap.byte/qwen3.6-35b-a3b-mtp
- llama-swap.miche/qwen3.6-27b-mtp-rocmfp4-turbo
- zai-coding/glm-5.2
- minimax-code/MiniMax-M3
plan:
- zai-coding/glm-5.2:xhigh
- minimax-code/minimax-code:xhigh
- deepseek/deepseek-v4-pro:xhigh
- llama-swap.miche/step-3.7-flash:high
slow:
- zai-coding/glm-5.2
- minimax-code/minimax-code
- deepseek/deepseek-v4-pro
- llama-swap.miche/step-3.7-flash
vision:
- llama-swap.miche/gemma4-12b
- llama-swap.byte/gemma-4-12b-heretic
- llama-swap.miche/qwen3.6-27b-mtp-rocmfp4-turbo
tools:
approvalMode: yolo
memory:
backend: "off"
github:
enabled: true
statusLine:
preset: default
separator: powerline
transparent: true
tui:
textSizing: false
defaultThinkingLevel: high
personality: pragmatic
hideThinkingBlock: true
readLineNumbers: true

13
private_dot_omp/agent/mcp.json Normal file
View file

@ -0,0 +1,13 @@
{
"$schema": "https://raw.githubusercontent.com/can1357/oh-my-pi/main/packages/coding-agent/src/config/mcp-schema.json",
"mcpServers": {
"firecrawl": {
"command": "npx",
"args": ["-y", "firecrawl-mcp"],
"env": {
"FIRECRAWL_API_KEY": "123",
"FIRECRAWL_API_URL": "http://bazzite.local:3002"
}
}
}
}

10
private_dot_omp/agent/zai.key.age Normal file
View file

@ -0,0 +1,10 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlZWhIcnM5cDBjeXNsSFJD
YmNrVXEyRitzcHpIUms0S281SElvNzBFMG40CkI0ck1MRlk1c0pxWnpwc3ZxTEFR
UVJCbk5TWFluZXpzUGlNVEk4alNXWE0KLT4gWDI1NTE5IEVBV2tkS3pyS3lITWdV
U0JuaTExTjFqbElUQ0FzTTlNUVEzZVVOdlFFRzQKc3c3WXBtQVR4NitoZXYveDZL
aFNtWng2WFBSVE5QSTg4VngwVVFiVUxFOAotLS0gaHlYRTROc3BTWS9IYVVNZlhy
aWZvbThPZm94MG41Nk9kZGNTKzlZM3FMRQo8aM6b1YkAxYJLXq+49I2LazKrOF6U
vUpLSW9ArUFQZuCYjexGzGpJXEjWjpbjOv6nV7LZAIN+brCNYLV2SEHp2Gq+Uny8
ljyD+SUwXgVerdzP
-----END AGE ENCRYPTED FILE-----

32
run_once_20-install-user-packages.sh.tmpl
View file

@ -30,11 +30,23 @@ PACMAN_PKGS=(
lazygit yt-dlp jq lazygit yt-dlp jq
unzip p7zip unzip p7zip
openssh openssh
bun
) )
log "installing pacman packages" log "installing pacman packages"
sudo pacman -S --needed --noconfirm "${PACMAN_PKGS[@]}" sudo pacman -S --needed --noconfirm "${PACMAN_PKGS[@]}"
# --------------------------- Pi coding agent + oh-my-pi ---------------------
# Arch: bun comes from pacman (above), used here for the global install.
if command -v bun >/dev/null 2>&1; then
if ! command -v omp >/dev/null 2>&1; then
log "installing @oh-my-pi/pi-coding-agent via bun global"
bun add -g @oh-my-pi/pi-coding-agent 2>&1 | tail -10
else
log "omp already installed: $(omp --version 2>&1 | head -1)"
fi
fi
{{ else if eq .os_family "debian" -}} {{ else if eq .os_family "debian" -}}
# ----------------------------- DEBIAN -------------------------------------- # ----------------------------- DEBIAN --------------------------------------
export DEBIAN_FRONTEND=noninteractive export DEBIAN_FRONTEND=noninteractive
@ -55,6 +67,14 @@ APT_PKGS=(
log "installing apt packages" log "installing apt packages"
sudo apt-get install -y --no-install-recommends "${APT_PKGS[@]}" sudo apt-get install -y --no-install-recommends "${APT_PKGS[@]}"
# bun isn't in debian repos. Install via official script into ~/.local
# (so the binary lands at ~/.local/bin/bun, which is already in PATH
# via .zshrc — no extra PATH config needed).
if ! command -v bun >/dev/null 2>&1; then
log "installing bun to ~/.local/bin (debian: not in apt)"
curl -fsSL https://bun.sh/install | BUN_INSTALL="$HOME/.local" bash
fi
# fd on Debian ships as 'fdfind' to avoid clashing with fd (the dedupe tool). # fd on Debian ships as 'fdfind' to avoid clashing with fd (the dedupe tool).
# Symlink so .zshrc can find 'fd' on PATH. # Symlink so .zshrc can find 'fd' on PATH.
if command -v fdfind >/dev/null 2>&1 && ! command -v fd >/dev/null 2>&1; then if command -v fdfind >/dev/null 2>&1 && ! command -v fd >/dev/null 2>&1; then
@ -67,6 +87,18 @@ fi
# package. The install happens in run_onchange_30 (after rustup is ready, # package. The install happens in run_onchange_30 (after rustup is ready,
# via `cargo install bat`). # via `cargo install bat`).
# --------------------------- Pi coding agent + oh-my-pi ---------------------
# Install via bun global (arch already has /usr/bin/bun from pacman, debian
# got it from the curl install above). Both OSes land in the same dir.
if command -v bun >/dev/null 2>&1; then
if ! command -v omp >/dev/null 2>&1; then
log "installing @oh-my-pi/pi-coding-agent via bun global"
bun add -g @oh-my-pi/pi-coding-agent 2>&1 | tail -10
else
log "omp already installed: $(omp --version 2>&1 | head -1)"
fi
fi
# Neovim — install official binary tarball, pinned to a known-good version. # Neovim — install official binary tarball, pinned to a known-good version.
# Bump NVIM_TARGET_VERSION to upgrade. ~/.local/bin/update-neovim.sh does # Bump NVIM_TARGET_VERSION to upgrade. ~/.local/bin/update-neovim.sh does
# the same check + download so topgrade can invoke it for upgrades. # the same check + download so topgrade can invoke it for upgrades.