search

twpayne / chezmoi

Manage your dotfiles across multiple diverse machines, securely.
https://www.chezmoi.io/
MIT License
13.35k stars 493 forks source link

chezmoi partially applying #3704

Closed choskeli closed 6 months ago

choskeli commented 6 months ago

What exactly are you trying to do?

I am trying to use this method to only require the password the first time I apply. When I run apply as shown below, some of my files are copied into the appropriate locations but other files are only in my chezmoi source directory and don't get applied. Even many encrypted files are properly applied and decrypted such as all my ssh keys. But for example my .zshenv is only in the chezmoi source directory but not applied to the correct location (and it's not even encrypted).

$ sh -c "$(curl -fsLS get.chezmoi.io/lb)" -- init --apply --verbose git@github.com:choskeli/dotfiles.git
info found version 2.47.4 for latest/linux/amd64
info installed .local/bin/chezmoi
Cloning into '/home/user/.local/share/chezmoi'...
remote: Enumerating objects: 870, done.
remote: Counting objects: 100% (31/31), done.
remote: Compressing objects: 100% (30/30), done.
remote: Total 870 (delta 14), reused 4 (delta 1), pack-reused 839
Receiving objects: 100% (870/870), 527.11 KiB | 13.18 MiB/s, done.
Resolving deltas: 100% (244/244), done.
diff --git a/decrypt-private-key.sh b/decrypt-private-key.sh
new file mode 100755
index 0000000000000000000000000000000000000000..4ae22ae6b6793d1b6515029d6fa46b2bc611a4f6
--- /dev/null
+++ b/decrypt-private-key.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+export XDG_CONFIG_HOME=${XDG_CONFIG_HOME:-$HOME/.config}
+
+# Copy the templated chezmoi configuration to the correct location
+mkdir -p "/home/user/.config/chezmoi"
+cp "/home/user/.local/share/chezmoi/dot_chezmoi.toml.tmpl" "/home/user/.config/chezmoi/chezmoi.toml"
+
+# Decrypt the repo and save the key so we don't have to enter the passphrase again on this computer
+key_file="$HOME/.config/chezmoi/key.txt"
+
+if [ ! -f "$key_file" ]; then
+   mkdir -p "$(dirname "$key_file")"
+   chmod +x "$HOME/.local/bin/chezmoi"
+   "$HOME/.local/bin/chezmoi" age decrypt --output "$key_file" --passphrase "$HOME/.local/share/chezmoi/key.txt.age"
+   chmod 600 "$key_file"
+fi
chezmoi: no identity matched any of the recipients

What have you tried so far?

I've tried testing in a new environment (in a docker container) to verify the behavior I'm seeing is reproducible.

I've verified that my private key, public key and passphrase match up by using age to encrypt and decrypt a test file.

Where else have you checked for solutions?

Output of any commands you've tried with --verbose flag

$ sh -c "$(curl -fsLS get.chezmoi.io/lb)" -- init --apply --verbose git@github.com:choskeli/dotfiles.git
info found version 2.47.4 for latest/linux/amd64
info installed .local/bin/chezmoi
chezmoi: no identity matched any of the recipients

Output of chezmoi doctor

```console $ chezmoi doctor RESULT CHECK MESSAGE ok version v2.47.4, commit d6ad485c86aa6501f5a7754ccba2a2b03d46c1a2, built at 2024-04-12T22:51:34Z, built by goreleaser ok latest-version v2.47.4 ok os-arch linux/amd64 (Fedora Linux 39 (Workstation Edition)) ok uname Linux localhost-live 6.8.6-200.fc39.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Apr 13 15:14:23 UTC 2024 x86_64 GNU/Linux ok go-version go1.22.2 (gc) ok executable ~/bin/chezmoi ok upgrade-method replace-executable ok config-file ~/.config/chezmoi/chezmoi.toml, last modified 2024-04-19T16:21:40-04:00 ok source-dir ~/.local/share/chezmoi is a git working tree (clean) ok suspicious-entries no suspicious entries ok working-tree ~/.local/share/chezmoi is a git working tree (clean) ok dest-dir ~ is a directory ok umask 022 ok cd-command found /bin/bash ok cd-args /bin/bash info diff-command not set ok edit-command found /usr/bin/nano ok edit-args /usr/bin/nano ok git-command found /usr/bin/git, version 2.44.0 warning merge-command vimdiff not found in $PATH ok shell-command found /bin/bash ok shell-args /bin/bash info age-command age not found in $PATH ok gpg-command found /usr/bin/gpg, version 2.4.4 info pinentry-command not set info 1password-command op not found in $PATH info bitwarden-command bw not found in $PATH info bitwarden-secrets-command bws not found in $PATH info dashlane-command dcli not found in $PATH info doppler-command doppler not found in $PATH info gopass-command gopass not found in $PATH info keepassxc-command keepassxc-cli not found in $PATH info keepassxc-db not set info keeper-command keeper not found in $PATH info lastpass-command lpass not found in $PATH info pass-command pass not found in $PATH info passhole-command ph not found in $PATH info rbw-command rbw not found in $PATH info vault-command vault not found in $PATH info vlt-command vlt not found in $PATH info secret-command not set ```

Additional context

Another thing that would be very useful would be if the verbose mode printed out each file as it was applied (not sure if I should open a feature request for this).

choskeli commented 6 months ago

Using a debugger I found it is failing on the 131st file which is a private ssh key. Does this mean I encrypted this key with the incorrect passphrase?

Assuming that's the case, shouldn't it just print a non-fatal error including the file name and continue to apply the rest of the files? It had already decrypted most of my ssh keys successfully.

@twpayne thoughts?

ErrrorMaxx commented 6 months ago

There is --keep-going/-k flag which makes chezmoi continue when it encounters an error

twpayne commented 6 months ago

Assuming that's the case, shouldn't it just print a non-fatal error including the file name and continue to apply the rest of the files? It had already decrypted most of my ssh keys successfully.

You're right. #3711 includes the file name (which was previously missing), and, as @ErrrorMaxx says, the --keep-going flag tells chezmoi to continue to apply the rest of the files.

Thanks again for your input here -- it has resulted in a clear usability improvement for all users.