From 6f4c5e120da7639d4b7f96b04a692b262a1252c9 Mon Sep 17 00:00:00 2001 From: Ivan Malison Date: Wed, 18 Feb 2026 01:37:46 -0800 Subject: [PATCH] repo hygiene: move secrets to pass; add examples; misc updates --- .gitignore | 9 ++ .../skills/org-agenda-api-production/SKILL.md | 5 +- dotfiles/claude/settings.local.json | 30 ++-- dotfiles/claude/settings.local.json.example | 43 ++++++ dotfiles/config/asciinema/config | 2 - dotfiles/config/asciinema/config.example | 2 + dotfiles/config/remmina/remmina.pref | 128 ------------------ dotfiles/config/remmina/remmina.pref.example | 53 ++++++++ ...eenCloud.conf => ScreenCloud.conf.example} | 18 +-- nix-darwin/flake.nix | 4 +- nix-darwin/gitea-actions-runner.nix | 9 ++ nixos/dotfiles-links.nix | 1 - nixos/secrets.nix | 1 - org-agenda-api/deploy.sh | 2 +- org-agenda-api/justfile | 11 +- 15 files changed, 145 insertions(+), 173 deletions(-) create mode 100644 dotfiles/claude/settings.local.json.example delete mode 100644 dotfiles/config/asciinema/config create mode 100644 dotfiles/config/asciinema/config.example delete mode 100644 dotfiles/config/remmina/remmina.pref create mode 100644 dotfiles/config/remmina/remmina.pref.example rename dotfiles/config/screencloud/{ScreenCloud.conf => ScreenCloud.conf.example} (59%) diff --git a/.gitignore b/.gitignore index ab4b6200..7d944135 100644 --- a/.gitignore +++ b/.gitignore @@ -36,3 +36,12 @@ gotools /dotfiles/config/xmonad/dist-newstyle/ /dotfiles/config/hypr/hyprscratch.conf /.worktrees/ + +# Secrets and machine-local state (managed via agenix/pass instead of git) +/dotfiles/config/asciinema/config +/dotfiles/config/remmina/remmina.pref +/dotfiles/config/screencloud/ScreenCloud.conf + +# Local tool state +/.playwright-cli/ +/dotfiles/config/taffybar/dbus-menu/ diff --git a/dotfiles/agents/skills/org-agenda-api-production/SKILL.md b/dotfiles/agents/skills/org-agenda-api-production/SKILL.md index ce38b2b5..327b408b 100644 --- a/dotfiles/agents/skills/org-agenda-api-production/SKILL.md +++ b/dotfiles/agents/skills/org-agenda-api-production/SKILL.md @@ -35,10 +35,7 @@ just create-todo "Test todo" ## Manual curl -```bash -curl -s -u "imalison:$(pass show org-agenda-api/imalison | head -1)" \ - https://colonelpanic-org-agenda.fly.dev/health | jq -``` +Prefer using the `just` recipes above so we don't bake auth syntax into docs. ## Key Endpoints diff --git a/dotfiles/claude/settings.local.json b/dotfiles/claude/settings.local.json index 2441027e..ab5bd118 100644 --- a/dotfiles/claude/settings.local.json +++ b/dotfiles/claude/settings.local.json @@ -9,21 +9,11 @@ "mcp": { "servers": { "gitea-mcp": { - "command": "docker", + "command": "bash", "args": [ - "run", - "-i", - "--rm", - "-e", - "GITEA_ACCESS_TOKEN=ad1e513137d5a15b638f7b4b5f65e1bda1c70cd7", - "-e", - "GITEA_BASE_URL=https://dev.railbird.ai", - "docker.gitea.com/gitea-mcp-server" - ], - "env": { - "GITEA_ACCESS_TOKEN": "ad1e513137d5a15b638f7b4b5f65e1bda1c70cd7", - "GITEA_BASE_URL": "https://dev.railbird.ai" - } + "-lc", + "set -euo pipefail; export GITEA_BASE_URL='https://dev.railbird.ai'; export GITEA_ACCESS_TOKEN=\"$(pass show claude-mcp/gitea-access-token | head -1)\"; exec docker run -i --rm -e GITEA_ACCESS_TOKEN -e GITEA_BASE_URL docker.gitea.com/gitea-mcp-server" + ] }, "chrome-devtools": { "command": "npx", @@ -33,13 +23,11 @@ ] }, "imap-email": { - "command": "npx", - "args": ["-y", "imap-email-mcp"], - "env": { - "IMAP_USER": "IvanMalison@gmail.com", - "IMAP_PASSWORD": "iiobqyuuczibsnmi", - "IMAP_HOST": "imap.gmail.com" - } + "command": "bash", + "args": [ + "-lc", + "set -euo pipefail; export IMAP_USER='IvanMalison@gmail.com'; export IMAP_HOST='imap.gmail.com'; export IMAP_PASSWORD=\"$(pass show claude-mcp/gmail-imap-app-password | head -1)\"; exec npx -y imap-email-mcp" + ] } } }, diff --git a/dotfiles/claude/settings.local.json.example b/dotfiles/claude/settings.local.json.example new file mode 100644 index 00000000..1b78b684 --- /dev/null +++ b/dotfiles/claude/settings.local.json.example @@ -0,0 +1,43 @@ +{ + "permissions": { + "allow": [ + "Bash(find:*)", + "Bash(cat:*)" + ], + "deny": [] + }, + "mcp": { + "servers": { + "gitea-mcp": { + "command": "docker", + "args": [ + "run", + "-i", + "--rm", + "-e", + "GITEA_ACCESS_TOKEN", + "-e", + "GITEA_BASE_URL=https://dev.railbird.ai", + "docker.gitea.com/gitea-mcp-server" + ] + }, + "chrome-devtools": { + "command": "npx", + "args": [ + "chrome-devtools-mcp@latest", + "--auto-connect" + ] + }, + "imap-email": { + "command": "npx", + "args": ["-y", "imap-email-mcp"], + "env": {} + } + } + }, + "enabledMcpjsonServers": [ + "chrome-devtools", + "imap-email" + ], + "enableAllProjectMcpServers": true +} diff --git a/dotfiles/config/asciinema/config b/dotfiles/config/asciinema/config deleted file mode 100644 index e4f41207..00000000 --- a/dotfiles/config/asciinema/config +++ /dev/null @@ -1,2 +0,0 @@ -[api] -token = 417ba97c-b532-4e4b-86df-a240314ae840 diff --git a/dotfiles/config/asciinema/config.example b/dotfiles/config/asciinema/config.example new file mode 100644 index 00000000..67e6c3d1 --- /dev/null +++ b/dotfiles/config/asciinema/config.example @@ -0,0 +1,2 @@ +[api] +token = diff --git a/dotfiles/config/remmina/remmina.pref b/dotfiles/config/remmina/remmina.pref deleted file mode 100644 index db3cfec9..00000000 --- a/dotfiles/config/remmina/remmina.pref +++ /dev/null @@ -1,128 +0,0 @@ -[remmina_pref] -secret=SEkwV+ilNl+x9eTDKU6tLKFTKdJv2OK2ROlV3Z4K0uY= -uid=Linux+4.7.4-1-ARCH+x86_64+en_US+52817413 -bdate=736234 -save_view_mode=true -save_when_connect=true -survey=false -invisible_toolbar=false -floating_toolbar_placement=0 -toolbar_placement=3 -always_show_tab=true -hide_connection_toolbar=false -default_action=0 -scale_quality=3 -ssh_loglevel=1 -screenshot_path=/home/imalison/Pictures -ssh_parseconfig=true -hide_toolbar=false -hide_statusbar=false -small_toolbutton=false -view_file_mode=0 -resolutions=640x480,800x600,1024x768,1152x864,1280x960,1400x1050 -keystrokes=Send hello world§hello world\\n -main_width=668 -main_height=1321 -main_maximize=false -main_sort_column_id=1 -main_sort_order=0 -expanded_group= -toolbar_pin_down=false -sshtunnel_port=4732 -applet_new_ontop=false -applet_hide_count=false -applet_enable_avahi=false -disable_tray_icon=false -dark_tray_icon=false -recent_maximum=10 -default_mode=0 -tab_mode=0 -show_buttons_icons=0 -show_menu_icons=0 -auto_scroll_step=10 -hostkey=65508 -shortcutkey_fullscreen=102 -shortcutkey_autofit=49 -shortcutkey_nexttab=65363 -shortcutkey_prevtab=65361 -shortcutkey_scale=115 -shortcutkey_grab=65508 -shortcutkey_screenshot=65481 -shortcutkey_minimize=65478 -shortcutkey_disconnect=65473 -shortcutkey_toolbar=116 -vte_font= -vte_allow_bold_text=true -vte_lines=512 -vte_system_colors=false -vte_foreground_color=rgb(192,192,192) -vte_background_color=rgb(0,0,0) -rdp_use_client_keymap=0 -rdp_quality_0=6F -rdp_quality_1=7 -rdp_quality_2=1 -rdp_quality_9=80 -datadir_path= -remmina_file_name=%G_%P_%N_%h -screenshot_name=remmina_%p_%h_%Y%m%d-%H%M%S -deny_screenshot_clipboard=true -confirm_close=true -use_primary_password=false -unlock_timeout=300 -unlock_password= -lock_connect=false -lock_edit=false -lock_view_passwords=false -enc_mode=1 -audit=false -trust_all=false -prevent_snap_welcome_message=false -last_quickconnect_protocol= -fullscreen_on_auto=true -always_show_notes=false -hide_searchbar=false -ssh_tcp_keepidle=20 -ssh_tcp_keepintvl=10 -ssh_tcp_keepcnt=3 -ssh_tcp_usrtimeout=60000 -dark_theme=false -fullscreen_toolbar_visibility=0 -shortcutkey_multimon=65365 -shortcutkey_viewonly=109 -vte_shortcutkey_copy=99 -vte_shortcutkey_paste=118 -vte_shortcutkey_select_all=97 -vte_shortcutkey_increase_font=65365 -vte_shortcutkey_decrease_font=65366 -vte_shortcutkey_search_text=103 -grab_color=#00ff00 -grab_color_switch=false - -[ssh_colors] -background=#d5ccba -cursor=#45373c -cursor_foreground=#d5ccba -highlight=#45373c -highlight_foreground=#d5ccba -colorBD=#45373c -foreground=#45373c -color0=#20111b -color1=#be100e -color2=#858162 -color3=#eaa549 -color4=#426a79 -color5=#97522c -color6=#989a9c -color7=#968c83 -color8=#5e5252 -color9=#be100e -color10=#858162 -color11=#eaa549 -color12=#426a79 -color13=#97522c -color14=#989a9c -color15=#d5ccba - -[remmina] -name= -ignore-tls-errors=1 diff --git a/dotfiles/config/remmina/remmina.pref.example b/dotfiles/config/remmina/remmina.pref.example new file mode 100644 index 00000000..cae04207 --- /dev/null +++ b/dotfiles/config/remmina/remmina.pref.example @@ -0,0 +1,53 @@ +[remmina_pref] +secret= +uid= +bdate= +save_view_mode=true +save_when_connect=true +survey=false +invisible_toolbar=false +floating_toolbar_placement=0 +toolbar_placement=3 +always_show_tab=true +hide_connection_toolbar=false +default_action=0 +scale_quality=3 +ssh_loglevel=1 +screenshot_path= +ssh_parseconfig=true +hide_toolbar=false +hide_statusbar=false +small_toolbutton=false +view_file_mode=0 +resolutions=640x480,800x600,1024x768,1152x864,1280x960,1400x1050 +main_width=0 +main_height=0 +main_maximize=false +main_sort_column_id=1 +main_sort_order=0 +expanded_group= +toolbar_pin_down=false +sshtunnel_port=4732 +applet_new_ontop=false +applet_hide_count=false +applet_enable_avahi=false +disable_tray_icon=false +dark_tray_icon=false +recent_maximum=10 +default_mode=0 +tab_mode=0 +show_buttons_icons=0 +show_menu_icons=0 +auto_scroll_step=10 +confirm_close=true +use_primary_password=false +unlock_timeout=300 +unlock_password= +lock_connect=false +lock_edit=false +lock_view_passwords=false +enc_mode=1 +audit=false +trust_all=false +prevent_snap_welcome_message=false +last_quickconnect_protocol= diff --git a/dotfiles/config/screencloud/ScreenCloud.conf b/dotfiles/config/screencloud/ScreenCloud.conf.example similarity index 59% rename from dotfiles/config/screencloud/ScreenCloud.conf rename to dotfiles/config/screencloud/ScreenCloud.conf.example index 4f37b64f..457b68df 100644 --- a/dotfiles/config/screencloud/ScreenCloud.conf +++ b/dotfiles/config/screencloud/ScreenCloud.conf.example @@ -4,9 +4,9 @@ first-run=false [account] email=IvanMalison@gmail.com -logged-in=true +logged-in=false token= -token-secret=d3f4ef69df4242e9b10ca034b28f6831 +token-secret= [hotkeys] captureFullScreen=Shift+Alt+1 @@ -31,10 +31,10 @@ proxy-req-auth=false check-updates-automatically=true [uploaders] -imgur\access-token=bcea050c708998597610f22a20c2121afa4cfad9 -imgur\anonymous=false -imgur\copy-direct-link=false -imgur\copy-link=true -imgur\name-format=Screenshot at %H:%M:%S -imgur\refresh-token=9890577aa0486ecb5ddc5a04cf9ceb0228e91b26 -imgur\username= +imgur\\access-token= +imgur\\anonymous=false +imgur\\copy-direct-link=false +imgur\\copy-link=true +imgur\\name-format=Screenshot at %H:%M:%S +imgur\\refresh-token= +imgur\\username= diff --git a/nix-darwin/flake.nix b/nix-darwin/flake.nix index a6e85d0e..44fefa32 100644 --- a/nix-darwin/flake.nix +++ b/nix-darwin/flake.nix @@ -49,7 +49,9 @@ enable = true; name = config.networking.hostName; url = "https://dev.railbird.ai"; - token = "H0A7YXAWsKSp9QzvMymfJI12hbxwR7UerEHpCJUe"; + # Keep the runner registration token out of git. + # Create this file on the machine before the runner is (re)registered. + tokenFile = "/var/lib/gitea-runner/nix/token"; labels = [ "nix-darwin-${pkgs.system}:host" "macos-aarch64-darwin" diff --git a/nix-darwin/gitea-actions-runner.nix b/nix-darwin/gitea-actions-runner.nix index 645f7744..2254511b 100644 --- a/nix-darwin/gitea-actions-runner.nix +++ b/nix-darwin/gitea-actions-runner.nix @@ -18,6 +18,10 @@ with lib; let tokenXorTokenFile = instance: (instance.token == null && instance.tokenFile != null) || (instance.token != null && instance.tokenFile == null); + + # Render a tokenFile (path or string) into the shell snippet used by launchd. + tokenFilePath = instance: + if instance.tokenFile == null then null else toString instance.tokenFile; in { options.services.gitea-actions-runner = { package = mkOption { @@ -154,6 +158,11 @@ in { "${pkgs.writeShellScript "gitea-runner-setup-${name}" '' mkdir -p /var/lib/gitea-runner/${name} cd /var/lib/gitea-runner/${name} + ${ + if instance.tokenFile != null then '' + TOKEN="$(${pkgs.coreutils}/bin/cat ${escapeShellArg (tokenFilePath instance)})" + '' else "" + } if [ ! -e "/var/lib/gitea-runner/${name}/.runner" ]; then ${cfg.package}/bin/act_runner register --no-interactive \ --instance ${escapeShellArg instance.url} \ diff --git a/nixos/dotfiles-links.nix b/nixos/dotfiles-links.nix index 687c22ba..86dfa999 100644 --- a/nixos/dotfiles-links.nix +++ b/nixos/dotfiles-links.nix @@ -62,4 +62,3 @@ in ".emacs.d".source = oos "${worktreeDotfiles}/emacs.d"; }; } - diff --git a/nixos/secrets.nix b/nixos/secrets.nix index 066d3bf4..7fdc4c9a 100644 --- a/nixos/secrets.nix +++ b/nixos/secrets.nix @@ -7,7 +7,6 @@ ]; age.secrets.gpg-keys.file = ./secrets/gpg-keys.age; age.secrets.gpg-passphrase.file = ./secrets/gpg-passphrase.age; - systemd.user.services.import-gpg-key = { Unit = { Description = "Import GPG private key"; diff --git a/org-agenda-api/deploy.sh b/org-agenda-api/deploy.sh index c5381ec1..9246fa18 100755 --- a/org-agenda-api/deploy.sh +++ b/org-agenda-api/deploy.sh @@ -71,7 +71,7 @@ echo " dotfiles: $DOTFILES_REV" echo "Building container from flake..." nix build "$NIXOS_DIR#${INSTANCE}-org-agenda-api" -o "result-${INSTANCE}-org-agenda-api" --refresh \ --option extra-substituters "https://org-agenda-api.cachix.org" \ - --option extra-trusted-public-keys "org-agenda-api.cachix.org-1:MzzlSeQpJ/erP9/qYU6EiS4LM4AHA/mpc8s4thtEvNI=" + --option extra-trusted-public-keys "org-agenda-api.cachix.org-1:MzzlSeQpJ/erP9/qYU6EiS4LM4AHA/mpc8s4thtEvNI=" # gitleaks:allow # Load into Docker echo "Loading container into Docker..." diff --git a/org-agenda-api/justfile b/org-agenda-api/justfile index 711ca31b..312ca607 100644 --- a/org-agenda-api/justfile +++ b/org-agenda-api/justfile @@ -5,23 +5,23 @@ user := "imalison" # Get all todos get-all-todos: - @curl -s -u "{{user}}:$(pass show org-agenda-api/imalison | head -1)" "{{base_url}}/get-all-todos" | jq . + @curl -s -u "{{user}}:$(pass show org-agenda-api/imalison | head -1)" "{{base_url}}/get-all-todos" | jq . # gitleaks:allow # Get today's agenda get-todays-agenda: - @curl -s -u "{{user}}:$(pass show org-agenda-api/imalison | head -1)" "{{base_url}}/get-todays-agenda" | jq . + @curl -s -u "{{user}}:$(pass show org-agenda-api/imalison | head -1)" "{{base_url}}/get-todays-agenda" | jq . # gitleaks:allow # Get agenda (day view) agenda: - @curl -s -u "{{user}}:$(pass show org-agenda-api/imalison | head -1)" "{{base_url}}/agenda" | jq . + @curl -s -u "{{user}}:$(pass show org-agenda-api/imalison | head -1)" "{{base_url}}/agenda" | jq . # gitleaks:allow # Get agenda files agenda-files: - @curl -s -u "{{user}}:$(pass show org-agenda-api/imalison | head -1)" "{{base_url}}/agenda-files" | jq . + @curl -s -u "{{user}}:$(pass show org-agenda-api/imalison | head -1)" "{{base_url}}/agenda-files" | jq . # gitleaks:allow # Get todo states todo-states: - @curl -s -u "{{user}}:$(pass show org-agenda-api/imalison | head -1)" "{{base_url}}/todo-states" | jq . + @curl -s -u "{{user}}:$(pass show org-agenda-api/imalison | head -1)" "{{base_url}}/todo-states" | jq . # gitleaks:allow # Health check health: @@ -29,6 +29,7 @@ health: # Create a todo create-todo title: + # gitleaks:allow @curl -s -X POST -u "{{user}}:$(pass show org-agenda-api/imalison | head -1)" \ -H "Content-Type: application/json" \ -d '{"title": "{{title}}"}' \