{{- $osFamily := "unknown" -}} {{- $idLike := "" -}} {{- if hasKey .chezmoi.osRelease "idLike" -}} {{- $idLike = .chezmoi.osRelease.idLike -}} {{- end -}} {{- if or (eq .chezmoi.osRelease.id "arch") (contains "arch" $idLike) -}} {{- $osFamily = "arch" -}} {{- else if or (eq .chezmoi.osRelease.id "debian") (contains "debian" $idLike) -}} {{- $osFamily = "debian" -}} {{- end -}} encryption: "age" # chezmoi's builtin age implementation requires a TTY for passphrase-style # decryption prompts and doesn't support all features. Force the external # age binary instead. If chezmoi can't find `age` on PATH at apply time, # the absolute path is used as a fallback. useBuiltinAge: false sourceDir: {{ .chezmoi.sourceDir | quote }} # age config — see https://www.chezmoi.io/user-guide/encryption/age/ # # To bootstrap age on a new box: # 1. Generate a recovery key (offline, store secret in password manager): # age-keygen -o ~/.config/chezmoi/keys/recovery.key # Add the printed public key below as a recipient. # 2. Generate a per-machine key on each box: # age-keygen -o ~/.config/chezmoi/key.txt # Add its public key below, then `chezmoi age rekey` to rewrite *.age files. # # To encrypt a new secret: # echo 'secret' | chezmoi encrypt --output private_dot_.../.age # # To decrypt (auto, on apply): # chezmoi uses ~/.config/chezmoi/key.txt (per-machine) by default. age: # Absolute path to age binary. Most distros install to /usr/bin/age; # Arch's pacman and Debian's apt both put it there. Using the absolute # path means chezmoi can find age even if PATH isn't set correctly # (which happens in some non-interactive SSH contexts). command: "/usr/bin/age" identity: "~/.config/chezmoi/key.txt" # Multiple recipients: every listed recipient can decrypt every *.age file. # Add a new recipient by pasting their public key below, then # `chezmoi age rekey` to rewrite existing files with the new recipient. recipients: # Recovery key — secret stored offline (password manager, USB stick). # Don't lose this: it's the only way to recover secrets if every # machine key is lost. - age1yyq42ctqwp5s5yd64week3aav9getk3p8aeyr5n5454d0v59a4dsjljsgs # Per-machine keys — one per box. Generate on the box itself with # `age-keygen -o ~/.config/chezmoi/key.txt`, paste its public key # here, then `chezmoi age rekey`. - age1eja7trs8mmsgf0qga0h5fsdltaryxgk4ksumshar5xxtdx0exy3q0a5hc5 # miche (Strix Halo GPU host) - age1tzmsrw59zkvh47pwz66gly3s4hdcru76569s8cgv0syfrpmutdxsnlke30 # byte (CachyOS laptop) - age16pl6ad3r44hf3q70xra7fadmllhmnnpmksetr3hr6a0q55kd3f9slvpsdg # kaiser (services host) - age14yfcz6k3m4q99nuvd22ka8zgtgj6q5jmt0sz3cz0004uhcgddfpq49kxw7 # rye (Debian Pi) - age19d0dqm6nzmhlhuns2qa3z64rua294xvf6l2uy5we5dlrq6z4yvwq6g4y4e # crouton (Debian Pi) data: os_family: {{ $osFamily | quote }} os_id: {{ .chezmoi.osRelease.id | quote }} # Sway/Wayland desktop stack — enabled per host. Pis don't need it # (headless); x86_64 desktops do. Override at runtime by creating # `~/.config/chezmoi/features/sway` (force ON) or # `~/.config/chezmoi/features/no-sway` (force OFF). # # To toggle for a new box: `touch ~/.config/chezmoi/features/sway` # then `chezmoi apply`. {{- $swayOverrideOn := stat (joinPath .chezmoi.homeDir ".config/chezmoi/features/sway") }} {{- $swayOverrideOff := stat (joinPath .chezmoi.homeDir ".config/chezmoi/features/no-sway") }} {{- if $swayOverrideOn }} sway: true {{- else if $swayOverrideOff }} sway: false {{- else }} {{- /* Hostname allowlist for the desktop stack. Match if hostname equals or starts with any of the listed prefixes (e.g. "byte" matches both "byte" and "byte-arch"). */}} {{- $swayHosts := list "miche" "byte" "kaiser" }} {{- $swayMatch := false }} {{- range $swayHosts }} {{- if or (eq . $.chezmoi.hostname) (hasPrefix (printf "%s-" .) $.chezmoi.hostname) (hasPrefix (printf "%s." .) $.chezmoi.hostname) }} {{- $swayMatch = true }} {{- end }} {{- end }} sway: {{ $swayMatch }} {{- end }}