My chezmoi dotfiles are designed to work with and without secrets, conditionally on whether the age private key is available on the current system. For you, an external user, always follow the Without Secrets instructions. You can also clone my repo and replace my secrets with your own, in which case you'll be able to follow the With Secrets instructions.
This requires that the age private key is available, by default at ~/.config/chezmoi/key.txt. Configs will include decrypted secrets.
chezmoi init --source ~/Code/dotfiles --apply --ssh DataLabTechTV/dotfilesFor systems where the age private key is not available, you won't be able to decrypt any *.age secrets that I have committed. I'm also assuming that the SSH private key for this repo is not available on the target system, so I removed the --ssh option. While I don't include it here, you can customize your source dir with --source as well, here.
chezmoi init --apply DataLabTechTV/dotfilesNote
Notice that ~/.config/chezmoi/chezmoi.toml won't include the typical configs for for age encryption to work. If the age private key becomes available, you'll need to run chezmoi init again to regenerate the chezmoi config.
Track a new file (or use -r to recursively track all files in a directory):
chezmoi add ~/.config/app/app.confEdit a config (use the system path):
chezmoi edit ~/.config/fish/config.fishCheck what changed:
chezmoi diffApply changes (files will be copied over to the system path):
chezmoi applyEncrypt a secret and save it in the repo (not applied, but used in templates):
chezmoi encrypt /tmp/secret -o ~/Code/dotfiles/.chezmoitemplates/secrets/secret.ageDecrypt a secret to the stdout:
chezmoi decrypt ~/Code/dotfiles/.chezmoitemplates/secrets/secret.ageOnly files ending with .tmpl will be rendered as templates (e.g., see config.fish.tmpl).
In order to include the content of an encrypted file, you can use something like this:
{{ include ".chezmoitemplates/secrets/secret.age" | decrypt | trim }}This includes a file from the root of the dotfiles repo and, in this case, decrypts it, as long as you have the age private key setup in the path described in the chezmoi config. We usually add trim as well, since age encrypted files tend to have a newline at the end, regardless of the original file (I might be wrong).
If you need to escape {{ ... }}, the cleaner way is to use the following strategy, with template variables:
{{ $podman_fmt := "{{.Host.RemoteSocket.Path}}" -}}
set -x DOCKER_HOST unix://(podman info --format '{{ $podman_fmt }}')Any variable defined on the chezmoi config file, under [data], can be accessed globally on any config template. For example, we use it check if an age private key was configured, when we need to use decrypted values on our configs.
{{ if .hasAgePrivateKey }}
{{- $homelab_mac := include ".chezmoitemplates/secrets/homelab.mac.age" | decrypt | trim -}}
abbr wake-delorean sudo ether-wake {{ $homelab_mac }}
{{- end }}