rain/gnu-plus-dotfiles
rain/gnu-plus-dotfiles
1
0
Fork 0
Code Wiki Activity

Compare commits

base: rain:27ae3a3b18d3df23119070d5be873c31fe6997e7
Branches Tags
rain:main
rain:legacy-2025
rain:master
..
compare: rain:6b64fe06252e1f0cc96dade887fcff17c3bb5897
Branches Tags
rain:main
rain:legacy-2025
rain:master

2 commits
27ae3a3b18 ... 6b64fe0625

Author SHA1 Message Date
rain
6b64fe0625 gentoo-overlays: guard with os_family so non-gentoo boxes skip it 
The script's body was never wrapped in an os_family template conditional
despite the header claiming it was 'guarded by the chezmoi template
engine'. So topgrade/chezmoi apply would run it on every box and die
with '/var/db/repos/gentoo missing' on arch/debian.

Wrap the body in '{{ if eq .os_family "gentoo" }}' / '{{ else }}' (same
pattern the arch-only chaotic-aur script already uses). On non-gentoo
boxes the rendered script reduces to a single 'skipping' log line.
Also fix two stale comments in the header (filename was 05, not 10).

Verified by rendering with --config override: arch → no-op log line,
gentoo → full body intact, both pass bash -n.
 2026-06-25 18:33:58 -04:00
rain
d61ffacc22 omp secrets: use encrypted_private_ prefix (decrypts + 0600) 
chezmoi parses attribute prefixes left-to-right and 'encrypted_' must
precede 'private_'. The 'private_encrypted_' order silently breaks
decryption: chezmoi consumes 'private_', then treats 'encrypted_foo.age'
as a literal filename and copies the ciphertext verbatim instead of
decrypting it.

models.yml was named 'private_encrypted_models.yml.age' since commit
3c3fab7 and was never decrypting — a stale 'encrypted_models.yml.age'
blob was sitting in ~/.omp/agent/ and the plaintext models.yml was an
unmanaged leftover. .env and zai.key used the plain 'encrypted_'
prefix and were decrypting at umask 0644 (world-readable in isolation;
the 700 ~/.omp/agent/ dir was the only thing shielding them).

This commit:

  * renames all three to encrypted_private_{zai.key,.env,models.yml}.age
    so chezmoi decrypts AND lands them at 0600 natively
  * rewrites run_onchange_35 as 'ensure-omp-secret-perms.sh' covering
    all three, as belt-and-suspenders for any box where a secret still
    sits at 0644 from a prior apply
  * removes the stale encrypted_models.yml.age verbatim blob and its
    orphan state entry
  * corrects the README perms section to document the prefix-order
    gotcha (was misleadingly claiming 'private_' alone gave 0600)

Verified end-to-end on this box: chezmoi managed lists all three as
decrypted targets, scoped apply writes them at 600, chmod script is
idempotent. Other boxes need a 'chezmoi apply' to pick up the rename
and the onchange chmod.
 2026-06-25 18:33:58 -04:00
7 changed files with 67 additions and 47 deletions
Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -108,7 +108,7 @@ Workaround: define a custom `zai-coding` provider in `~/.omp/agent/models.yml` p
Gotcha: omp's `apiKey:` field in custom providers expects a **literal key value** — NOT an env var name. `apiKey: ZAI_CODING_API_KEY` was being treated as the literal string `ZAI_CODING_API_KEY` and sent as `Authorization: Bearer ZAI_CO...KEY` → 401. The encrypted `models.yml` in this repo contains the literal Z.ai API key in `apiKey:` (same key that's in `zai.key`). Gotcha: omp's `apiKey:` field in custom providers expects a **literal key value** — NOT an env var name. `apiKey: ZAI_CODING_API_KEY` was being treated as the literal string `ZAI_CODING_API_KEY` and sent as `Authorization: Bearer ZAI_CO...KEY` → 401. The encrypted `models.yml` in this repo contains the literal Z.ai API key in `apiKey:` (same key that's in `zai.key`).
`run_onchange_35-ensure-omp-models-perms.sh` chmod 600s the decrypted file so the literal key isn't world-readable (matches `zai.key`'s tighter perms). All three omp secrets (`zai.key`, `.env`, `models.yml`) are committed as `encrypted_private_*.age`. The prefix order matters: chezmoi parses attribute prefixes left-to-right, and `encrypted_` **must** precede `private_`. `encrypted_private_foo.age` decrypts *and* lands at `0600`; the reversed `private_encrypted_foo.age` makes chezmoi consume `private_` and then treat `encrypted_foo.age` as a literal filename (no decryption — the file is copied verbatim, which is how a stale `encrypted_models.yml.age` blob ended up in `~/.omp/agent/`). As belt-and-suspenders for boxes where a secret already sits at umask `0644` from a prior apply, `run_onchange_35-ensure-omp-secret-perms.sh` normalizes all three back to `600`. Never rely on the enclosing `~/.omp/agent/` directory being `700` to protect these; the files carry their own mode.
## Sway / Wayland desktop stack ## Sway / Wayland desktop stack

0
dot_omp/agent/encrypted_.env.age → dot_omp/agent/encrypted_private_.env.age
View file

0
dot_omp/agent/private_encrypted_models.yml.age → dot_omp/agent/encrypted_private_models.yml.age
View file

0
dot_omp/agent/encrypted_zai.key.age → dot_omp/agent/encrypted_private_zai.key.age
View file

27
run_once_10-add-gentoo-overlays.sh.tmpl Normal file → Executable file
View file

@ -1,31 +1,30 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# ============================================================================= # =============================================================================
# run_once_05-add-gentoo-overlays.sh.tmpl (gentoo-only) # run_once_10-add-gentoo-overlays.sh.tmpl (gentoo-only)
# Add the GURU overlay to the portage repository list. GURU is the # Add the GURU overlay to the portage repository list. GURU is the
# community overlay (like AUR for arch) where packages like bun, eza, # community overlay (like AUR for arch) where packages like bun, eza,
# sway, etc. live when they're not in the main tree. # sway, etc. live when they're not in the main tree.
# #
# Idempotent: skips if GURU is already enabled. # Idempotent: skips if GURU is already enabled.
# Run-order: 00 (bootstrap) → 05-overlays (here) → 10-add-{chaotic,debian} # Guarded: this script is a no-op on non-gentoo boxes via the os_family
# → 20-install-packages → 40-install-sway # template conditional below — so topgrade/chezmoi apply never errors
# on arch/debian where /var/db/repos/gentoo doesn't exist.
#
# Run-order: 00 (bootstrap) → 05 (hosts) → 10 (overlays, here)
# → 20 (packages) → 40 (sway)
# ============================================================================= # =============================================================================
set -euo pipefail set -euo pipefail
log() { printf '\033[1;34m[overlays]\033[0m %s\n' "$*"; } log() { printf '\033[1;34m[overlays]\033[0m %s\n' "$*"; }
die() { printf '\033[1;31m[overlays ERROR]\033[0m %s\n' "$*" >&2; exit 1; } die() { printf '\033[1;31m[overlays ERROR]\033[0m %s\n' "$*" >&2; exit 1; }
# This script is gentoo-only. Guarded by the chezmoi template engine; {{ if eq .os_family "gentoo" -}}
# on arch/debian it never renders (only this single file path). # --- gentoo: ensure GURU overlay is enabled ---
if [[ ! -d /var/db/repos/gentoo ]]; then if [[ ! -d /var/db/repos/gentoo ]]; then
die "/var/db/repos/gentoo missing — this doesn't look like a gentoo system" die "/var/db/repos/gentoo missing — this doesn't look like a gentoo system"
fi fi
# --- 1. GURU overlay --- # GURU overlay — required for eza, lazygit, topgrade, etc.
# User explicitly requires GURU. Per the bootstrap-runbook skill: gentoo
# boxes without GURU can't install most of the user packages (eza, fzf,
# fd-find on stable, lazygit, topgrade, etc.) because they only ship in
# the main tree as ~amd64 or only live in GURU.
if [[ -d /var/db/repos/guru ]]; then if [[ -d /var/db/repos/guru ]]; then
log "GURU overlay already enabled at /var/db/repos/guru — skipping" log "GURU overlay already enabled at /var/db/repos/guru — skipping"
else else
@ -51,7 +50,7 @@ else
log "GURU overlay enabled and synced" log "GURU overlay enabled and synced"
fi fi
# --- 2. Verify --- # --- verify ---
log "enabled overlays:" log "enabled overlays:"
eselect repository list 2>&1 | sed 's/^/ /' eselect repository list 2>&1 | sed 's/^/ /'
@ -63,3 +62,7 @@ GURU_NAME=$(cat /var/db/repos/guru/profiles/repo_name)
log "GURU repo verified: $GURU_NAME" log "GURU repo verified: $GURU_NAME"
log "overlays ready" log "overlays ready"
{{ else -}}
# Not a gentoo box — nothing to do (guarded by os_family above).
log "skipping gentoo overlays (os_family={{ .os_family }}, not gentoo)"
{{ end -}}

33
run_onchange_35-ensure-omp-models-perms.sh.tmpl
View file

@ -1,33 +0,0 @@
#!/usr/bin/env bash
# =============================================================================
# run_onchange_35-ensure-omp-models-perms.sh.tmpl
# Force chmod 600 on ~/.omp/agent/models.yml. The encrypted file is named
# `private_encrypted_models.yml.age` so chezmoi SHOULD set 600 on first apply,
# but if the file already exists from a prior apply (when it was named
# `encrypted_models.yml.age` without the `private_` prefix), the perm stays
# at whatever umask gave it (typically 644). This script normalizes the perm
# to 600 so the literal zai API key in models.yml isn't world-readable.
#
# Triggered by the body hash changing; current hash = sha256 of body.
# Runs on all OSes (no os_family gate).
# =============================================================================
set -euo pipefail
MODELS_YML="${HOME}/.omp/agent/models.yml"
log() { printf '\033[1;34m[omp-models-perms]\033[0m %s\n' "$*"; }
if [[ ! -f "$MODELS_YML" ]]; then
log "models.yml not present on this box (omp not installed?) — skipping"
exit 0
fi
current_perm=$(stat -c '%a' "$MODELS_YML")
if [[ "$current_perm" == "600" ]]; then
log "models.yml already 600 — nothing to do"
exit 0
fi
log "models.yml perm is $current_perm, fixing to 600"
chmod 600 "$MODELS_YML"
log "models.yml perm now $(stat -c '%a' "$MODELS_YML")"

50
run_onchange_35-ensure-omp-secret-perms.sh.tmpl Executable file
View file

@ -0,0 +1,50 @@
#!/usr/bin/env bash
# =============================================================================
# run_onchange_35-ensure-omp-secret-perms.sh.tmpl
# Force chmod 600 on every omp secret under ~/.omp/agent/. The encrypted
# sources are all named with the `private_` prefix (private_encrypted_*.age)
# so chezmoi SHOULD set 600 on first apply, but if a file already exists
# from a prior apply (before it gained the `private_` prefix), its mode
# stays at whatever umask gave it (typically 644 — world-readable).
# This script normalizes the mode so live API keys are never world-readable,
# regardless of the enclosing directory's perms.
#
# Re-triggered automatically whenever this script body changes (chezmoi
# hashes the body). Runs on all OSes (no os_family gate).
#
# Covered files:
# zai.key — Z.ai API key (literal, 1 line)
# .env — provider API keys (ANTHROPIC/OPENAI/... when populated)
# models.yml — literal zai-coding provider key in apiKey:
# =============================================================================
set -euo pipefail
SECRETS_DIR="${HOME}/.omp/agent"
declare -a SECRET_FILES=("zai.key" ".env" "models.yml")
log() { printf '\033[1;34m[omp-secret-perms]\033[0m %s\n' "$*"; }
if [[ ! -d "$SECRETS_DIR" ]]; then
log "~/.omp/agent not present on this box (omp not installed?) — skipping"
exit 0
fi
fixed=0
for f in "${SECRET_FILES[@]}"; do
path="${SECRETS_DIR}/${f}"
if [[ ! -f "$path" ]]; then
log "${f}: not present — skipping"
continue
fi
current_perm=$(stat -c '%a' "$path")
if [[ "$current_perm" == "600" ]]; then
log "${f}: already 600 — nothing to do"
continue
fi
log "${f}: perm is ${current_perm}, fixing to 600"
chmod 600 "$path"
log "${f}: perm now $(stat -c '%a' "$path")"
fixed=$((fixed + 1))
done
log "done (${fixed} file(s) changed)"