rain
2b06a60d00
Each box now has its own per-machine age key at ~/.config/chezmoi/key.txt. The .age file is encrypted to all 6 recipients, so any of them can decrypt zai.key on next chezmoi apply. Implementation note: chezmoi only honors the LAST --age-recipient flag when given multiple. Use --age-recipient-file=path/to/file (one pubkey per line) for multiple recipients in a single call.
53 lines
No EOL
2.4 KiB
Cheetah
53 lines
No EOL
2.4 KiB
Cheetah
{{- $osFamily := "unknown" -}}
|
|
{{- $idLike := "" -}}
|
|
{{- if hasKey .chezmoi.osRelease "idLike" -}}
|
|
{{- $idLike = .chezmoi.osRelease.idLike -}}
|
|
{{- end -}}
|
|
{{- if or (eq .chezmoi.osRelease.id "arch") (contains "arch" $idLike) -}}
|
|
{{- $osFamily = "arch" -}}
|
|
{{- else if or (eq .chezmoi.osRelease.id "debian") (contains "debian" $idLike) -}}
|
|
{{- $osFamily = "debian" -}}
|
|
{{- end -}}
|
|
encryption: "age"
|
|
sourceDir: {{ .chezmoi.sourceDir | quote }}
|
|
|
|
# age config — see https://www.chezmoi.io/user-guide/encryption/age/
|
|
#
|
|
# To bootstrap age on a new box:
|
|
# 1. Generate a recovery key (offline, store secret in password manager):
|
|
# age-keygen -o ~/.config/chezmoi/keys/recovery.key
|
|
# Add the printed public key below as a recipient.
|
|
# 2. Generate a per-machine key on each box:
|
|
# age-keygen -o ~/.config/chezmoi/key.txt
|
|
# Add its public key below, then `chezmoi age rekey` to rewrite *.age files.
|
|
#
|
|
# To encrypt a new secret:
|
|
# echo 'secret' | chezmoi encrypt --output private_dot_.../<name>.age
|
|
#
|
|
# To decrypt (auto, on apply):
|
|
# chezmoi uses ~/.config/chezmoi/key.txt (per-machine) by default.
|
|
|
|
age:
|
|
identity: "~/.config/chezmoi/key.txt"
|
|
|
|
# Multiple recipients: every listed recipient can decrypt every *.age file.
|
|
# Add a new recipient by pasting their public key below, then
|
|
# `chezmoi age rekey` to rewrite existing files with the new recipient.
|
|
recipients:
|
|
# Recovery key — secret stored offline (password manager, USB stick).
|
|
# Don't lose this: it's the only way to recover secrets if every
|
|
# machine key is lost.
|
|
- age1yyq42ctqwp5s5yd64week3aav9getk3p8aeyr5n5454d0v59a4dsjljsgs
|
|
|
|
# Per-machine keys — one per box. Generate on the box itself with
|
|
# `age-keygen -o ~/.config/chezmoi/key.txt`, paste its public key
|
|
# here, then `chezmoi age rekey`.
|
|
- age1eja7trs8mmsgf0qga0h5fsdltaryxgk4ksumshar5xxtdx0exy3q0a5hc5 # miche (Strix Halo GPU host)
|
|
- age1tzmsrw59zkvh47pwz66gly3s4hdcru76569s8cgv0syfrpmutdxsnlke30 # byte (CachyOS laptop)
|
|
- age16pl6ad3r44hf3q70xra7fadmllhmnnpmksetr3hr6a0q55kd3f9slvpsdg # kaiser (services host)
|
|
- age14yfcz6k3m4q99nuvd22ka8zgtgj6q5jmt0sz3cz0004uhcgddfpq49kxw7 # rye (Debian Pi)
|
|
- age19d0dqm6nzmhlhuns2qa3z64rua294xvf6l2uy5we5dlrq6z4yvwq6g4y4e # crouton (Debian Pi)
|
|
|
|
data:
|
|
os_family: {{ $osFamily | quote }}
|
|
os_id: {{ .chezmoi.osRelease.id | quote }} |