rain
d61ffacc22
chezmoi parses attribute prefixes left-to-right and 'encrypted_' must
precede 'private_'. The 'private_encrypted_' order silently breaks
decryption: chezmoi consumes 'private_', then treats 'encrypted_foo.age'
as a literal filename and copies the ciphertext verbatim instead of
decrypting it.
models.yml was named 'private_encrypted_models.yml.age' since commit
3c3fab7 and was never decrypting — a stale 'encrypted_models.yml.age'
blob was sitting in ~/.omp/agent/ and the plaintext models.yml was an
unmanaged leftover. .env and zai.key used the plain 'encrypted_'
prefix and were decrypting at umask 0644 (world-readable in isolation;
the 700 ~/.omp/agent/ dir was the only thing shielding them).
This commit:
* renames all three to encrypted_private_{zai.key,.env,models.yml}.age
so chezmoi decrypts AND lands them at 0600 natively
* rewrites run_onchange_35 as 'ensure-omp-secret-perms.sh' covering
all three, as belt-and-suspenders for any box where a secret still
sits at 0644 from a prior apply
* removes the stale encrypted_models.yml.age verbatim blob and its
orphan state entry
* corrects the README perms section to document the prefix-order
gotcha (was misleadingly claiming 'private_' alone gave 0600)
Verified end-to-end on this box: chezmoi managed lists all three as
decrypted targets, scoped apply writes them at 600, chmod script is
idempotent. Other boxes need a 'chezmoi apply' to pick up the rename
and the onchange chmod.
50 lines
1.9 KiB
Bash
Executable file
50 lines
1.9 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
# =============================================================================
|
|
# run_onchange_35-ensure-omp-secret-perms.sh.tmpl
|
|
# Force chmod 600 on every omp secret under ~/.omp/agent/. The encrypted
|
|
# sources are all named with the `private_` prefix (private_encrypted_*.age)
|
|
# so chezmoi SHOULD set 600 on first apply, but if a file already exists
|
|
# from a prior apply (before it gained the `private_` prefix), its mode
|
|
# stays at whatever umask gave it (typically 644 — world-readable).
|
|
# This script normalizes the mode so live API keys are never world-readable,
|
|
# regardless of the enclosing directory's perms.
|
|
#
|
|
# Re-triggered automatically whenever this script body changes (chezmoi
|
|
# hashes the body). Runs on all OSes (no os_family gate).
|
|
#
|
|
# Covered files:
|
|
# zai.key — Z.ai API key (literal, 1 line)
|
|
# .env — provider API keys (ANTHROPIC/OPENAI/... when populated)
|
|
# models.yml — literal zai-coding provider key in apiKey:
|
|
# =============================================================================
|
|
set -euo pipefail
|
|
|
|
SECRETS_DIR="${HOME}/.omp/agent"
|
|
declare -a SECRET_FILES=("zai.key" ".env" "models.yml")
|
|
|
|
log() { printf '\033[1;34m[omp-secret-perms]\033[0m %s\n' "$*"; }
|
|
|
|
if [[ ! -d "$SECRETS_DIR" ]]; then
|
|
log "~/.omp/agent not present on this box (omp not installed?) — skipping"
|
|
exit 0
|
|
fi
|
|
|
|
fixed=0
|
|
for f in "${SECRET_FILES[@]}"; do
|
|
path="${SECRETS_DIR}/${f}"
|
|
if [[ ! -f "$path" ]]; then
|
|
log "${f}: not present — skipping"
|
|
continue
|
|
fi
|
|
current_perm=$(stat -c '%a' "$path")
|
|
if [[ "$current_perm" == "600" ]]; then
|
|
log "${f}: already 600 — nothing to do"
|
|
continue
|
|
fi
|
|
log "${f}: perm is ${current_perm}, fixing to 600"
|
|
chmod 600 "$path"
|
|
log "${f}: perm now $(stat -c '%a' "$path")"
|
|
fixed=$((fixed + 1))
|
|
done
|
|
|
|
log "done (${fixed} file(s) changed)"
|