rain/gnu-plus-dotfiles
rain/gnu-plus-dotfiles
1
0
Fork 0
Code Wiki Activity
gnu-plus-dotfiles/README.md
rain d61ffacc22 omp secrets: use encrypted_private_ prefix (decrypts + 0600) 
chezmoi parses attribute prefixes left-to-right and 'encrypted_' must
precede 'private_'. The 'private_encrypted_' order silently breaks
decryption: chezmoi consumes 'private_', then treats 'encrypted_foo.age'
as a literal filename and copies the ciphertext verbatim instead of
decrypting it.

models.yml was named 'private_encrypted_models.yml.age' since commit
3c3fab7 and was never decrypting — a stale 'encrypted_models.yml.age'
blob was sitting in ~/.omp/agent/ and the plaintext models.yml was an
unmanaged leftover. .env and zai.key used the plain 'encrypted_'
prefix and were decrypting at umask 0644 (world-readable in isolation;
the 700 ~/.omp/agent/ dir was the only thing shielding them).

This commit:

  * renames all three to encrypted_private_{zai.key,.env,models.yml}.age
    so chezmoi decrypts AND lands them at 0600 natively
  * rewrites run_onchange_35 as 'ensure-omp-secret-perms.sh' covering
    all three, as belt-and-suspenders for any box where a secret still
    sits at 0644 from a prior apply
  * removes the stale encrypted_models.yml.age verbatim blob and its
    orphan state entry
  * corrects the README perms section to document the prefix-order
    gotcha (was misleadingly claiming 'private_' alone gave 0600)

Verified end-to-end on this box: chezmoi managed lists all three as
decrypted targets, scoped apply writes them at 600, chmod script is
idempotent. Other boxes need a 'chezmoi apply' to pick up the rename
and the onchange chmod.
2026-06-25 18:33:58 -04:00

175 lines
No EOL
11 KiB
Markdown
Raw Blame History

# gnu-plus-dotfiles
Chezmoi-managed dotfiles synced across all your linux boxes.
Source of truth: `~/.local/share/chezmoi` on your main workstation.
Remote: `https://git.melonbread.xyz/rain/gnu-plus-dotfiles.git` (HTTPS for bootstrap, SSH from your main workstation for push — see Onboarding below).
## Branches
- `main` — current, bootstrap-enabled. All active work.
- `legacy-2025` — frozen snapshot of the pre-chezmoi-bootstrap config. Read-only.
## What's in here
```
.chezmoi.yaml.tmpl os_family detection (debian | arch | gentoo)
dot_zshrc.tmpl zsh config with os_family-conditional aliases
dot_tmux.conf tmux + tpm + gruvbox plugin stack
dot_gitconfig.tmpl git + delta
dot_config/
bat/ bat config
btop/ btop theme + options
ghostty/ ghostty terminal + gruvbox themes
kitty/ kitty terminal + gruvbox themes
nvim/ LazyVim + custom plugins
paru/ (arch-only) paru config
sway/ sway + wofi + foot configs (desktops only)
foot/ foot terminal config
wofi/ wofi launcher configs + CSS
waybar/ waybar status bar
mako/ (arch-only) mako notification daemon
run_once_00-install-bootstrap-tools.sh.tmpl age, curl, git, base-devel (pacman/apt/emerge)
run_once_05-install-hosts.sh.tmpl merge LAN host entries into /etc/hosts
run_once_10-add-chaotic-aur.sh.tmpl (arch-only) chaotic-aur + paru
run_once_10-add-gentoo-overlays.sh.tmpl (gentoo-only) enable GURU overlay
run_once_20-install-user-packages.sh.tmpl (arch+debian) user package set
run_once_20-install-user-packages-gentoo.sh.tmpl (gentoo-only) user package set via emerge
run_onchange_30-ensure-cargo.sh.tmpl rustup + bat/topgrade/cargo-update (all 3 OSes)
run_once_40-install-sway.sh.tmpl (arch+debian) sway + wofi + foot
run_once_40-install-sway-gentoo.sh.tmpl (gentoo-only) sway stack via emerge
```
## Gentoo notes
Gentoo support was added 2026-06-23 with the GURU overlay requirement. Key differences from arch/debian:
- **No binary packages by default** — `emerge` compiles from source. The bootstrap scripts set `--ask=n --nospinner --quiet-build --keep-going` so installs don't prompt and don't abort on a single failure.
- **USE flags matter** — `run_once_20-install-user-packages-gentoo.sh` writes to `/etc/portage/package.use/zz-gentoo-bootstrap` BEFORE emerging, so the right features are enabled for `eza`, `foot`, `waybar`, etc.
- **GURU overlay is required** — `run_once_10-add-gentoo-overlays.sh` runs `eselect repository enable guru` + `emaint sync -r guru`. Many user packages (eza, lazygit, topgrade) live in GURU; the main tree alone won't suffice.
- **Per-machine os-release parsing** — Gentoo's `/etc/os-release` uses single-quoted values (e.g. `ID='gentoo'`), and the parser doesn't strip them, so the `os_family` template strips them with `trimAll "'"`. Without that fix, `.chezmoi.osRelease.id` returns `'gentoo'` (with literal quotes), and the `eq "gentoo"` test fails.
- **bun is not in any gentoo overlay** — the official curl installer (`curl -fsSL https://bun.sh/install | bash`) is the fallback path, just like debian.
## Onboarding a new box
**One command.** Copy/paste this on a fresh debian-stable or arch-base install:
```bash
sh -c "$(curl -fsSL https://raw.githubusercontent.com/...")" -- -b "$HOME/.local/bin" \
&& export PATH="$HOME/.local/bin:$PATH" \
&& chezmoi init --apply https://git.melonbread.xyz/rain/gnu-plus-dotfiles.git
```
Or as a heredoc that installs chezmoi then runs the bootstrap (more verbose, easier to read):
```bash
export PATH="$HOME/.local/bin:$PATH"
sh -c "$(curl -fsSL get.chezmoi.io)" -- -b "$HOME/.local/bin"
chezmoi init --apply https://git.melonbread.xyz/rain/gnu-plus-dotfiles.git
```
The bootstrap scripts run automatically as part of `chezmoi init --apply`. They will:
1. **run_once_00**: install `age`, `git`, `curl`, `ca-certificates` via the OS package manager
2. **run_once_05**: merge LAN host entries (`miche.local`, `kaiser.local`, etc.) into `/etc/hosts` so omp/curl can resolve them
3. **run_once_10** (arch only): add Chaotic-AUR repo + signing key, install `paru`
4. **run_once_20**: install zsh, tmux, neovim (binary tarball, arch-aware URL), oh-my-zsh + plugins (autosuggestions, syntax-highlighting, history-substring-search, fzf-tab), tpm, all modern CLI tools (`bat` via cargo or PM, `btop`, `eza`, `fzf`, `fd`, `ripgrep`, `zoxide`, `starship`, `lazygit`, `yt-dlp`, `jq`, etc.), set zsh as login shell (via `sudo chsh`), install Maple Mono NF font (GitHub release zip)
5. **run_onchange_30**: ensure rustup/cargo; install topgrade (`pacman` on arch via chaotic-aur, `cargo` on debian) and cargo-update
After bootstrap completes (~5-10 min on x86_64, longer on aarch64 with `cargo install bat`):
```bash
exec zsh
```
fastfetch will run on shell start, starship prompt active, all tools on PATH.
### Per-machine age key (required to decrypt secrets)
The repo contains encrypted secrets (`~/.omp/agent/zai.key`, `~/.omp/agent/.env`, `~/.omp/agent/models.yml`) that only your per-machine age key can decrypt. After bootstrap, generate the key on this box:
```bash
age-keygen -o ~/.config/chezmoi/key.txt
# Paste the printed public key into ~/.local/share/chezmoi/.chezmoi.yaml.tmpl
# under the recipients list, then:
cd ~/.local/share/chezmoi
git pull
# (You'll be prompted to add --force if you have local changes)
chezmoi apply
```
If you skip this step, the omp config files will still land (they're not encrypted), but `zai.key` and `.env` will be missing and omp won't be able to authenticate against providers.
### Why `models.yml` is encrypted (and not in `zai.key`)
omp v16.1.16 has a quirk: the built-in `zai` provider routes to `https://api.z.ai/api/anthropic` (Anthropic-compatible endpoint) which requires `x-api-key`. omp only sends `Authorization: Bearer`, so the built-in provider always 401s on real Z.ai API keys.
Workaround: define a custom `zai-coding` provider in `~/.omp/agent/models.yml` pointing at the OpenAI-compatible endpoint `https://api.z.ai/api/coding/paas/v4` (which DOES accept `Authorization: Bearer`).
Gotcha: omp's `apiKey:` field in custom providers expects a **literal key value** — NOT an env var name. `apiKey: ZAI_CODING_API_KEY` was being treated as the literal string `ZAI_CODING_API_KEY` and sent as `Authorization: Bearer ZAI_CO...KEY` → 401. The encrypted `models.yml` in this repo contains the literal Z.ai API key in `apiKey:` (same key that's in `zai.key`).
All three omp secrets (`zai.key`, `.env`, `models.yml`) are committed as `encrypted_private_*.age`. The prefix order matters: chezmoi parses attribute prefixes left-to-right, and `encrypted_` **must** precede `private_`. `encrypted_private_foo.age` decrypts *and* lands at `0600`; the reversed `private_encrypted_foo.age` makes chezmoi consume `private_` and then treat `encrypted_foo.age` as a literal filename (no decryption — the file is copied verbatim, which is how a stale `encrypted_models.yml.age` blob ended up in `~/.omp/agent/`). As belt-and-suspenders for boxes where a secret already sits at umask `0644` from a prior apply, `run_onchange_35-ensure-omp-secret-perms.sh` normalizes all three back to `600`. Never rely on the enclosing `~/.omp/agent/` directory being `700` to protect these; the files carry their own mode.
## Sway / Wayland desktop stack
Sway + wofi + foot + waybar + swaybg/lock/idle + grim/slurp + wl-clipboard is opt-in at bootstrap time. The user decides per-box.
**Bootstrap prompt:** when you run `chezmoi init` for the first time on a new box, you'll be asked:
```
sway_setup (default false)? [y/N]
```
Answer `y` to install the packages + write the configs. Answer `N` (or just press enter) to skip. The answer is captured in `data.sway_setup` in the rendered `~/.config/chezmoi/chezmoi.yaml` and never re-asked.
**Subsequent flips** (per box, takes precedence over the bootstrap answer):
```bash
# Enable sway after the fact:
touch ~/.config/chezmoi/features/sway
chezmoi apply
# Disable sway (e.g. running a desktop headless as a server):
touch ~/.config/chezmoi/features/no-sway
rm -f ~/.config/chezmoi/features/sway
chezmoi apply
```
**Migration from hostname-allowlist:** the previous design auto-enabled sway on hostnames matching `miche`/`byte`/`kaiser`. That was removed. Existing desktops that already had sway installed kept the `~/.config/chezmoi/features/sway` marker, which now serves as the override-on signal — so they still have `sway_setup: true` without re-prompting.
**Migration of `chezmoi.yaml`:** if you ran the new template via SSH (no TTY), the prompt fails with "could not open a new TTY". Run it interactively (`chezmoi init`) from a real terminal, OR pass `--promptBool sway_setup=true|false` to set the value without prompting.
The `run_once_40-install-sway.sh` script:
- exits 0 with no side effects on non-sway boxes
- installs `sway wofi foot swaybg swaylock swayidle grim slurp waybar wl-clipboard` via `pacman` (arch) or `apt` (debian)
- adds `dunst` instead of `mako` on debian (mako isn't packaged for debian)
- creates the `~/.config/chezmoi/features/sway` marker so subsequent applies know it's enabled
The configs in `dot_config/{sway,foot,wofi,waybar,mako}/` are placed unconditionally — they're harmless on Pis (no tools to read them).
Sway is NOT auto-launched. It's installed as a tool you run manually from a TTY (`sway` from TTY1) for light desktops. The install and configs sit ready; launching is your call.
## Editing dotfiles
```bash
chezmoi edit ~/.zshrc # opens in $EDITOR, auto-applies on save
chezmoi diff # see what's pending
chezmoi apply # apply pending changes
chezmoi cd # jump to the source repo
```
From inside `~/.local/share/chezmoi`, you can `git status`, `git diff`, `git push` like any normal repo.
## Common gotchas
- **Neovim too old on Debian**: `run_once_20` detects this and installs the official binary. If you see "Edit: command not found" inside LazyVim, neovim <0.9.
- **zsh plugins not loading**: check `~/.oh-my-zsh/custom/plugins/` exists. Bootstrap installs them.
- **paru 404 on arch**: Chaotic-AUR mirrors occasionally lag. Re-run `sudo pacman -Syu` then `chezmoi apply`.
- **fastfetch not running**: command not found, install via package manager. Debian needs `apt install fastfetch` (bookworm+).
- **`Maple Mono NF` font warning in nvim**: bootstrap should have installed it. Verify with `fc-list | grep -i maple`. If missing, see runbook skill `chezmoi-bootstrap-runbook` for manual install.
## Out of scope (intentionally not in repo)
- `~/.config/zsh/functions.zsh` host-specific (reads `~/AI/llama.cpp/key.txt`). Recreate per host.
- KDE plasma configs (kwinrc, kdeglobals, etc.) live state, varies wildly per host.
- Alacritty, foot, fish not in use, drop if you want.
- mpv, topgrade, mako out of scope unless re-added.
View git blame Copy permalink