From 530337679f64e9719bed38d8a77eed41b8749bc2 Mon Sep 17 00:00:00 2001
From: Tyler Mayoff <tyler@tylermayoff.com>
Date: Mon, 30 Sep 2024 20:09:37 -0400
Subject: [PATCH] New encyption scheme

---
 .chezmoi.toml.tmpl                          |  9 ++++-----
 .chezmoiignore                              |  1 +
 dot_config/home-manager/home/common.nix     |  2 ++
 key.txt.age                                 | 10 ++++++++++
 run_once_before_decrypt-private-key.sh.tmpl |  7 +++++++
 5 files changed, 24 insertions(+), 5 deletions(-)
 create mode 100644 .chezmoiignore
 create mode 100644 key.txt.age
 create mode 100644 run_once_before_decrypt-private-key.sh.tmpl

diff --git a/.chezmoi.toml.tmpl b/.chezmoi.toml.tmpl
index d6a4d45..3a9b232 100644
--- a/.chezmoi.toml.tmpl
+++ b/.chezmoi.toml.tmpl
@@ -1,5 +1,4 @@
-encryption = "gpg"
-[gpg]
-    symmetric = true
-    args = ["--batch", "--no-symkey-cache"]
-
+encryption = "age"
+[age]
+    identity = "~/.config/chezmoi/key.txt"
+    recipient = "age1c4y054wg5yqde4nvsfvx20tj9k3a5adwxc48zye0udsxe2p7hfws96tnjg"
diff --git a/.chezmoiignore b/.chezmoiignore
new file mode 100644
index 0000000..b022973
--- /dev/null
+++ b/.chezmoiignore
@@ -0,0 +1 @@
+key.txt.age
diff --git a/dot_config/home-manager/home/common.nix b/dot_config/home-manager/home/common.nix
index 4627fa3..5853ac8 100644
--- a/dot_config/home-manager/home/common.nix
+++ b/dot_config/home-manager/home/common.nix
@@ -52,6 +52,8 @@ in rec {
 
     unstable.nix-output-monitor
 
+    # dotfiles
+    age
     chezmoi
 
     # backup
diff --git a/key.txt.age b/key.txt.age
new file mode 100644
index 0000000..48e06ee
--- /dev/null
+++ b/key.txt.age
@@ -0,0 +1,10 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNjcnlwdCA5Sy9KanQrcTczVnAyWVdr
+cXJrWDJBIDE4CmFBaTExUTdBbWdmWTF6b2IvSElCb1FzQ0I5UUZGMUxobmxTMUtQ
+aS93UDgKLS0tIFRxaDRnSnJoWmpJTkRxRlJPTmlTWUJHV25kbFJaeHpaUkFXZ0tS
+bmc1ZGMKX/iyf4oIQmn+X1LT5bwFVBI5TxXdX5rSLodi5LFWkBnG/YsUn/EL0Lun
+E6OdaaEXXIPMoVZO1gjDEf5NVaVkBI92O00+09EeAW8RaEaF3mVIcO7j/GHDaCEk
+iq5g26lPxTp6V/jVRpqKmhxawrlKyc7nHCFMJoWtFq3hjxjV1pzFYAf+askvBzAS
+0z0zwL9keIdpzok3kjO32Rkox1DpfQougE+7JpICW7mGpxovB+3L/MGLYNzXVVYR
+ueQBmEXnLkC9ubAAFIHPE3iHFkgLTNLBGaiv6TeP9DJcQZM=
+-----END AGE ENCRYPTED FILE-----
diff --git a/run_once_before_decrypt-private-key.sh.tmpl b/run_once_before_decrypt-private-key.sh.tmpl
new file mode 100644
index 0000000..f5e65fb
--- /dev/null
+++ b/run_once_before_decrypt-private-key.sh.tmpl
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+if [ ! -f "/home/tyler/.config/chezmoi/key.txt" ]; then
+    mkdir -p "/home/tyler/.config/chezmoi"
+    chezmoi age decrypt --output "${HOME}/.config/chezmoi/key.txt" --passphrase "{{ .chezmoi.sourceDir }}/key.txt.age"
+    chmod 600 "/home/tyler/.config/chezmoi/key.txt"
+fi