gnu-plus-dotfiles/.chezmoi.yaml.tmpl

{{- $osFamily := "unknown" -}}
{{- $idLike := "" -}}
{{- if hasKey .chezmoi.osRelease "idLike" -}}
  {{- $idLike = .chezmoi.osRelease.idLike -}}
{{- end -}}
{{- if or (eq .chezmoi.osRelease.id "arch") (contains "arch" $idLike) -}}
  {{- $osFamily = "arch" -}}
{{- else if or (eq .chezmoi.osRelease.id "debian") (contains "debian" $idLike) -}}
  {{- $osFamily = "debian" -}}
{{- end -}}
encryption: "age"
# chezmoi's builtin age implementation requires a TTY for passphrase-style
# decryption prompts and doesn't support all features. Force the external
# age binary instead. If chezmoi can't find `age` on PATH at apply time,
# the absolute path is used as a fallback.
useBuiltinAge: false
sourceDir: {{ .chezmoi.sourceDir | quote }}

# age config — see https://www.chezmoi.io/user-guide/encryption/age/
#
# To bootstrap age on a new box:
#   1. Generate a recovery key (offline, store secret in password manager):
#        age-keygen -o ~/.config/chezmoi/keys/recovery.key
#      Add the printed public key below as a recipient.
#   2. Generate a per-machine key on each box:
#        age-keygen -o ~/.config/chezmoi/key.txt
#      Add its public key below, then `chezmoi age rekey` to rewrite *.age files.
#
# To encrypt a new secret:
#   echo 'secret' | chezmoi encrypt --output private_dot_.../<name>.age
#
# To decrypt (auto, on apply):
#   chezmoi uses ~/.config/chezmoi/key.txt (per-machine) by default.

age:
    # Absolute path to age binary. Most distros install to /usr/bin/age;
    # Arch's pacman and Debian's apt both put it there. Using the absolute
    # path means chezmoi can find age even if PATH isn't set correctly
    # (which happens in some non-interactive SSH contexts).
    command: "/usr/bin/age"
    identity: "~/.config/chezmoi/key.txt"

    # Multiple recipients: every listed recipient can decrypt every *.age file.
    # Add a new recipient by pasting their public key below, then
    # `chezmoi age rekey` to rewrite existing files with the new recipient.
    recipients:
        # Recovery key — secret stored offline (password manager, USB stick).
        # Don't lose this: it's the only way to recover secrets if every
        # machine key is lost.
        - age1yyq42ctqwp5s5yd64week3aav9getk3p8aeyr5n5454d0v59a4dsjljsgs

        # Per-machine keys — one per box. Generate on the box itself with
        # `age-keygen -o ~/.config/chezmoi/key.txt`, paste its public key
        # here, then `chezmoi age rekey`.
        - age1eja7trs8mmsgf0qga0h5fsdltaryxgk4ksumshar5xxtdx0exy3q0a5hc5  # miche (Strix Halo GPU host)
        - age1tzmsrw59zkvh47pwz66gly3s4hdcru76569s8cgv0syfrpmutdxsnlke30  # byte (CachyOS laptop)
        - age16pl6ad3r44hf3q70xra7fadmllhmnnpmksetr3hr6a0q55kd3f9slvpsdg  # kaiser (services host)
        - age14yfcz6k3m4q99nuvd22ka8zgtgj6q5jmt0sz3cz0004uhcgddfpq49kxw7  # rye (Debian Pi)
        - age19d0dqm6nzmhlhuns2qa3z64rua294xvf6l2uy5we5dlrq6z4yvwq6g4y4e  # crouton (Debian Pi)

data:
    os_family: {{ $osFamily | quote }}
    os_id: {{ .chezmoi.osRelease.id | quote }}

    # Sway/Wayland desktop stack — opt-in at bootstrap time. When you
    # run `chezmoi init` for the first time, you'll be asked:
    #   "Install the sway + wofi + foot Wayland desktop stack? [y/N]"
    # Answering `y` installs the packages and writes the configs.
    # Answering `N` (or pressing enter for default) skips both.
    #
    # To flip later: `touch ~/.config/chezmoi/features/sway` to enable,
    # or `touch ~/.config/chezmoi/features/no-sway` to disable, then
    # `chezmoi apply`. The marker files override the bootstrap answer.
    {{- $swayMarker := not (not (stat (joinPath .chezmoi.homeDir ".config/chezmoi/features/sway"))) }}
    {{- $noSwayMarker := not (not (stat (joinPath .chezmoi.homeDir ".config/chezmoi/features/no-sway"))) }}
    {{- $swayPrompt := promptBool "sway_setup" false }}
    sway_setup: {{ or $swayMarker (and $swayPrompt (not $noSwayMarker)) }}