rain
3927acd64f
The encrypted models.yml is named private_encrypted_models.yml.age so chezmoi *should* set 600 on decrypt, but on boxes where the file already existed from a prior apply (before the rename), the perm stays at umask default (644). This run_onchange script normalizes to 600. Runs only when the script body changes (chezmoi hashes the rendered content). On a fresh apply, it brings the perm to 600 once, then stays silent on subsequent applies until the body changes again.
33 lines
1.3 KiB
Bash
33 lines
1.3 KiB
Bash
#!/usr/bin/env bash
|
|
# =============================================================================
|
|
# run_onchange_35-ensure-omp-models-perms.sh.tmpl
|
|
# Force chmod 600 on ~/.omp/agent/models.yml. The encrypted file is named
|
|
# `private_encrypted_models.yml.age` so chezmoi SHOULD set 600 on first apply,
|
|
# but if the file already exists from a prior apply (when it was named
|
|
# `encrypted_models.yml.age` without the `private_` prefix), the perm stays
|
|
# at whatever umask gave it (typically 644). This script normalizes the perm
|
|
# to 600 so the literal zai API key in models.yml isn't world-readable.
|
|
#
|
|
# Triggered by the body hash changing; current hash = sha256 of body.
|
|
# Runs on all OSes (no os_family gate).
|
|
# =============================================================================
|
|
set -euo pipefail
|
|
|
|
MODELS_YML="${HOME}/.omp/agent/models.yml"
|
|
|
|
log() { printf '\033[1;34m[omp-models-perms]\033[0m %s\n' "$*"; }
|
|
|
|
if [[ ! -f "$MODELS_YML" ]]; then
|
|
log "models.yml not present on this box (omp not installed?) — skipping"
|
|
exit 0
|
|
fi
|
|
|
|
current_perm=$(stat -c '%a' "$MODELS_YML")
|
|
if [[ "$current_perm" == "600" ]]; then
|
|
log "models.yml already 600 — nothing to do"
|
|
exit 0
|
|
fi
|
|
|
|
log "models.yml perm is $current_perm, fixing to 600"
|
|
chmod 600 "$MODELS_YML"
|
|
log "models.yml perm now $(stat -c '%a' "$MODELS_YML")"
|