rain/gnu-plus-dotfiles
rain/gnu-plus-dotfiles
1
0
Fork 0
Code Wiki Activity
gnu-plus-dotfiles/.chezmoi.yaml.tmpl
rain b40d724f6c Make run_once scripts sudo-prompt-free when packages already present 
Several run_once scripts unconditionally called sudo pacman/apt to
install packages — even on boxes where every package was already
present. That triggered a sudo password prompt on every fresh
chezmoi apply for nothing.

Two changes:

1. .chezmoi.yaml.tmpl: fall back to ~/.local/bin/age if /usr/bin/age
   isn't installed (matters during initial bootstrap before age is
   installed system-wide).

2. run_once_*.sh.tmpl: detect missing packages first; only call sudo
   if there's actually something to install. For the LAN hosts script,
   detect the existing block and skip if it's already correct.

These changes are transparent on boxes that already had everything
installed (the existing 5): no behavior change. They reduce sudo
prompts on bit (the new box, where most packages are pre-installed)
from ~5 prompts to 1 (just for /etc/hosts).
2026-06-22 15:10:49 -04:00

88 lines
No EOL
4.4 KiB
Cheetah
Raw Blame History

{{- $osFamily := "unknown" -}}
{{- $idLike := "" -}}
{{- if hasKey .chezmoi.osRelease "idLike" -}}
{{- $idLike = .chezmoi.osRelease.idLike -}}
{{- end -}}
{{- if or (eq .chezmoi.osRelease.id "arch") (contains "arch" $idLike) -}}
{{- $osFamily = "arch" -}}
{{- else if or (eq .chezmoi.osRelease.id "debian") (contains "debian" $idLike) -}}
{{- $osFamily = "debian" -}}
{{- end -}}
encryption: "age"
# chezmoi's builtin age implementation requires a TTY for passphrase-style
# decryption prompts and doesn't support all features. Force the external
# age binary instead. If chezmoi can't find `age` on PATH at apply time,
# the absolute path is used as a fallback.
useBuiltinAge: false
sourceDir: {{ .chezmoi.sourceDir | quote }}
# age config — see https://www.chezmoi.io/user-guide/encryption/age/
#
# To bootstrap age on a new box:
# 1. Generate a recovery key (offline, store secret in password manager):
# age-keygen -o ~/.config/chezmoi/keys/recovery.key
# Add the printed public key below as a recipient.
# 2. Generate a per-machine key on each box:
# age-keygen -o ~/.config/chezmoi/key.txt
# Add its public key below, then `chezmoi age rekey` to rewrite *.age files.
#
# To encrypt a new secret:
# echo 'secret' | chezmoi encrypt --output private_dot_.../<name>.age
#
# To decrypt (auto, on apply):
# chezmoi uses ~/.config/chezmoi/key.txt (per-machine) by default.
age:
# Absolute path to age binary. Most distros install to /usr/bin/age;
# Arch's pacman and Debian's apt both put it there. Using the absolute
# path means chezmoi can find age even if PATH isn't set correctly
# (which happens in some non-interactive SSH contexts).
#
# On a per-machine bootstrap, this might not be installed yet (sudo
# required). The bootstrap detects the fallback path and re-renders
# the config to use it. See run_once_00-install-bootstrap-tools.sh.tmpl.
{{- if stat "/usr/bin/age" }}
command: "/usr/bin/age"
{{- else if stat (joinPath .chezmoi.homeDir ".local/bin/age") }}
command: "{{ joinPath .chezmoi.homeDir ".local/bin/age" }}"
{{- else if stat "/usr/local/bin/age" }}
command: "/usr/local/bin/age"
{{- end }}
identity: "~/.config/chezmoi/key.txt"
# Multiple recipients: every listed recipient can decrypt every *.age file.
# Add a new recipient by pasting their public key below, then
# `chezmoi age rekey` to rewrite existing files with the new recipient.
recipients:
# Recovery key — secret stored offline (password manager, USB stick).
# Don't lose this: it's the only way to recover secrets if every
# machine key is lost.
- age1yyq42ctqwp5s5yd64week3aav9getk3p8aeyr5n5454d0v59a4dsjljsgs
# Per-machine keys — one per box. Generate on the box itself with
# `age-keygen -o ~/.config/chezmoi/key.txt`, paste its public key
# here, then `chezmoi age rekey`.
- age1eja7trs8mmsgf0qga0h5fsdltaryxgk4ksumshar5xxtdx0exy3q0a5hc5 # miche (Strix Halo GPU host)
- age1tzmsrw59zkvh47pwz66gly3s4hdcru76569s8cgv0syfrpmutdxsnlke30 # byte (CachyOS laptop)
- age16pl6ad3r44hf3q70xra7fadmllhmnnpmksetr3hr6a0q55kd3f9slvpsdg # kaiser (services host)
- age14yfcz6k3m4q99nuvd22ka8zgtgj6q5jmt0sz3cz0004uhcgddfpq49kxw7 # rye (Debian Pi)
- age19d0dqm6nzmhlhuns2qa3z64rua294xvf6l2uy5we5dlrq6z4yvwq6g4y4e # crouton (Debian Pi)
- age1jk0xy6ltmd00x36jswxlj9c94pap3yu82usj2lzsxnqqdtngupnsyqjyv4 # bit (CachyOS laptop)
data:
os_family: {{ $osFamily | quote }}
os_id: {{ .chezmoi.osRelease.id | quote }}
# Sway/Wayland desktop stack — opt-in at bootstrap time. When you
# run `chezmoi init` for the first time, you'll be asked:
# "Install the sway + wofi + foot Wayland desktop stack? [y/N]"
# Answering `y` installs the packages and writes the configs.
# Answering `N` (or pressing enter for default) skips both.
#
# To flip later: `touch ~/.config/chezmoi/features/sway` to enable,
# or `touch ~/.config/chezmoi/features/no-sway` to disable, then
# `chezmoi apply`. The marker files override the bootstrap answer.
{{- $swayMarker := not (not (stat (joinPath .chezmoi.homeDir ".config/chezmoi/features/sway"))) }}
{{- $noSwayMarker := not (not (stat (joinPath .chezmoi.homeDir ".config/chezmoi/features/no-sway"))) }}
{{- $swayPrompt := promptBool "sway_setup" false }}
sway_setup: {{ or $swayMarker (and $swayPrompt (not $noSwayMarker)) }}
View git blame Copy permalink