gnu-plus-dotfiles

rain/gnu-plus-dotfiles

Fork 0

Commit graph

Author	SHA1	Message	Date
rain	a2cc669b22	Add bit (CachyOS laptop) to age recipients + re-encrypt secrets bit-cachyos is the 6th machine in the hive. Generated a per-machine age key on bit, added the pubkey to the recipients list in .chezmoi.yaml.tmpl, and re-encrypted the two .age secrets (dot_omp/agent/encrypted_.env.age and encrypted_zai.key.age) with all 7 recipients (1 recovery + 6 machines). Bit's existing partial setup (pre-existing chezmoi source dir, omp native binary at ~/.local/bin/omp) is backed up during the bootstrap script to ~/.local/share/chezmoi.bak.<timestamp>. See onboard-bit.sh on bit:/tmp/onboard-bit.sh for the no-sudo bootstrap flow.	2026-06-22 15:03:54 -04:00
rain	bd9b295b24	Add omp .env.age for provider API keys; install topgrade+cargo-update via PM 1. dot_omp/agent/encrypted_.env.age (NEW) Encrypted shell-sourceable file with all omp provider API keys. Decrypts to ~/.omp/agent/.env on apply. omp reads .env on startup per docs/environment-variables.md. All 6 recipients (recovery + 5 boxes) can decrypt. Placeholder values for keys the user hasn't added yet — fill in real values per-provider. 2. run_onchange_30-ensure-cargo.sh.tmpl (UPDATED) - Add topgrade install: pacman on arch (via chaotic-aur), cargo on debian (not in apt) - Add cargo-update install: pacman on arch, cargo on debian - Prefer OS package managers over cargo install when both are available. cargo install only as fallback. 3. dot_omp/agent/config.yml (UNCHANGED) Per user request: keep .local host endpoints (llama-swap.miche, kaiser.local:8800). If a box can't reach them, it's not on the local network and omp will error gracefully at request time.	2026-06-22 01:34:02 -04:00
rain	07dbe83f52	Fix omp zai.key encryption: use proper chezmoi 'encrypted_' attribute The previous approach (private_dot_omp/agent/zai.key.age + manual re-encryption) didn't work because: 1. The 'private_' prefix is for files NOT to push to remote, not for encrypted files. The 'encrypted_' prefix is what chezmoi recognizes as an encryption marker. 2. The encrypted file needs to be at dot_<path>/encrypted_<name>.age so chezmoi can both decrypt on apply AND strip the .age suffix to write the destination file as <name> (without .age). Also fix chezmoi age config to actually decrypt non-interactively: - Add useBuiltinAge: false to force external age binary - Add age.command: /usr/bin/age (absolute path) so PATH issues don't matter in non-interactive SSH contexts The encrypted file is at dot_omp/agent/encrypted_zai.key.age, decrypts to ~/.omp/agent/zai.key on apply. Encrypted to all 6 recipients (recovery + miche + byte + kaiser + rye + crouton). Tested on miche: - chezmoi apply: rc=0 - live zai.key: 50 bytes (correct content) - decrypts with miche per-machine key - would decrypt on other boxes with their respective keys	2026-06-22 00:44:51 -04:00

Author

SHA1

Message

Date

rain

a2cc669b22

Add bit (CachyOS laptop) to age recipients + re-encrypt secrets

bit-cachyos is the 6th machine in the hive. Generated a per-machine
age key on bit, added the pubkey to the recipients list in
.chezmoi.yaml.tmpl, and re-encrypted the two .age secrets
(dot_omp/agent/encrypted_.env.age and encrypted_zai.key.age) with all
7 recipients (1 recovery + 6 machines).

Bit's existing partial setup (pre-existing chezmoi source dir, omp
native binary at ~/.local/bin/omp) is backed up during the bootstrap
script to ~/.local/share/chezmoi.bak.<timestamp>.

See onboard-bit.sh on bit:/tmp/onboard-bit.sh for the no-sudo
bootstrap flow.

2026-06-22 15:03:54 -04:00

rain

bd9b295b24

Add omp .env.age for provider API keys; install topgrade+cargo-update via PM

1. dot_omp/agent/encrypted_.env.age (NEW)
   Encrypted shell-sourceable file with all omp provider API keys.
   Decrypts to ~/.omp/agent/.env on apply. omp reads .env on startup
   per docs/environment-variables.md. All 6 recipients (recovery +
   5 boxes) can decrypt. Placeholder values for keys the user hasn't
   added yet — fill in real values per-provider.

2. run_onchange_30-ensure-cargo.sh.tmpl (UPDATED)
   - Add topgrade install: pacman on arch (via chaotic-aur), cargo on
     debian (not in apt)
   - Add cargo-update install: pacman on arch, cargo on debian
   - Prefer OS package managers over cargo install when both are
     available. cargo install only as fallback.

3. dot_omp/agent/config.yml (UNCHANGED)
   Per user request: keep .local host endpoints (llama-swap.miche,
   kaiser.local:8800). If a box can't reach them, it's not on the
   local network and omp will error gracefully at request time.

2026-06-22 01:34:02 -04:00

rain

07dbe83f52

Fix omp zai.key encryption: use proper chezmoi 'encrypted_' attribute

The previous approach (private_dot_omp/agent/zai.key.age + manual
re-encryption) didn't work because:
1. The 'private_' prefix is for files NOT to push to remote, not for
   encrypted files. The 'encrypted_' prefix is what chezmoi recognizes
   as an encryption marker.
2. The encrypted file needs to be at dot_<path>/encrypted_<name>.age
   so chezmoi can both decrypt on apply AND strip the .age suffix
   to write the destination file as <name> (without .age).

Also fix chezmoi age config to actually decrypt non-interactively:
- Add useBuiltinAge: false to force external age binary
- Add age.command: /usr/bin/age (absolute path) so PATH issues
  don't matter in non-interactive SSH contexts

The encrypted file is at dot_omp/agent/encrypted_zai.key.age, decrypts
to ~/.omp/agent/zai.key on apply. Encrypted to all 6 recipients
(recovery + miche + byte + kaiser + rye + crouton).

Tested on miche:
  - chezmoi apply: rc=0
  - live zai.key: 50 bytes (correct content)
  - decrypts with miche per-machine key
  - would decrypt on other boxes with their respective keys

2026-06-22 00:44:51 -04:00

3 commits