repo hygiene: move secrets to pass; add examples; misc updates

2026-02-18 01:37:46 -08:00
parent a5f3ffc21b
commit 6f4c5e120d
15 changed files with 145 additions and 173 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -36,3 +36,12 @@ gotools
 /dotfiles/config/xmonad/dist-newstyle/
 /dotfiles/config/hypr/hyprscratch.conf
 /.worktrees/
+
+# Secrets and machine-local state (managed via agenix/pass instead of git)
+/dotfiles/config/asciinema/config
+/dotfiles/config/remmina/remmina.pref
+/dotfiles/config/screencloud/ScreenCloud.conf
+
+# Local tool state
+/.playwright-cli/
+/dotfiles/config/taffybar/dbus-menu/
--- a/dotfiles/agents/skills/org-agenda-api-production/SKILL.md
+++ b/dotfiles/agents/skills/org-agenda-api-production/SKILL.md
@@ -35,10 +35,7 @@ just create-todo "Test todo"

 ## Manual curl

-```bash
-curl -s -u "imalison:$(pass show org-agenda-api/imalison | head -1)" \
-  https://colonelpanic-org-agenda.fly.dev/health | jq
-```
+Prefer using the `just` recipes above so we don't bake auth syntax into docs.

 ## Key Endpoints

--- a/dotfiles/claude/settings.local.json
+++ b/dotfiles/claude/settings.local.json
@@ -9,21 +9,11 @@
  "mcp": {
    "servers": {
      "gitea-mcp": {
-        "command": "docker",
+        "command": "bash",
        "args": [
-          "run",
-          "-i",
-          "--rm",
-          "-e",
-          "GITEA_ACCESS_TOKEN=ad1e513137d5a15b638f7b4b5f65e1bda1c70cd7",
-          "-e",
-          "GITEA_BASE_URL=https://dev.railbird.ai",
-          "docker.gitea.com/gitea-mcp-server"
-        ],
-        "env": {
-          "GITEA_ACCESS_TOKEN": "ad1e513137d5a15b638f7b4b5f65e1bda1c70cd7",
-          "GITEA_BASE_URL": "https://dev.railbird.ai"
-        }
+          "-lc",
+          "set -euo pipefail; export GITEA_BASE_URL='https://dev.railbird.ai'; export GITEA_ACCESS_TOKEN=\"$(pass show claude-mcp/gitea-access-token | head -1)\"; exec docker run -i --rm -e GITEA_ACCESS_TOKEN -e GITEA_BASE_URL docker.gitea.com/gitea-mcp-server"
+        ]
      },
      "chrome-devtools": {
        "command": "npx",
@@ -33,13 +23,11 @@
        ]
      },
      "imap-email": {
-        "command": "npx",
-        "args": ["-y", "imap-email-mcp"],
-        "env": {
-          "IMAP_USER": "IvanMalison@gmail.com",
-          "IMAP_PASSWORD": "iiobqyuuczibsnmi",
-          "IMAP_HOST": "imap.gmail.com"
-        }
+        "command": "bash",
+        "args": [
+          "-lc",
+          "set -euo pipefail; export IMAP_USER='IvanMalison@gmail.com'; export IMAP_HOST='imap.gmail.com'; export IMAP_PASSWORD=\"$(pass show claude-mcp/gmail-imap-app-password | head -1)\"; exec npx -y imap-email-mcp"
+        ]
      }
    }
  },
--- a/dotfiles/claude/settings.local.json.example
+++ b/dotfiles/claude/settings.local.json.example
@@ -0,0 +1,43 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(find:*)",
+      "Bash(cat:*)"
+    ],
+    "deny": []
+  },
+  "mcp": {
+    "servers": {
+      "gitea-mcp": {
+        "command": "docker",
+        "args": [
+          "run",
+          "-i",
+          "--rm",
+          "-e",
+          "GITEA_ACCESS_TOKEN",
+          "-e",
+          "GITEA_BASE_URL=https://dev.railbird.ai",
+          "docker.gitea.com/gitea-mcp-server"
+        ]
+      },
+      "chrome-devtools": {
+        "command": "npx",
+        "args": [
+          "chrome-devtools-mcp@latest",
+          "--auto-connect"
+        ]
+      },
+      "imap-email": {
+        "command": "npx",
+        "args": ["-y", "imap-email-mcp"],
+        "env": {}
+      }
+    }
+  },
+  "enabledMcpjsonServers": [
+    "chrome-devtools",
+    "imap-email"
+  ],
+  "enableAllProjectMcpServers": true
+}
--- a/dotfiles/config/asciinema/config
+++ b/dotfiles/config/asciinema/config
@@ -1,2 +0,0 @@
-[api]
-token = 417ba97c-b532-4e4b-86df-a240314ae840
--- a/dotfiles/config/asciinema/config.example
+++ b/dotfiles/config/asciinema/config.example
@@ -0,0 +1,2 @@
+[api]
+token =
--- a/dotfiles/config/remmina/remmina.pref
+++ b/dotfiles/config/remmina/remmina.pref
@@ -1,128 +0,0 @@
-[remmina_pref]
-secret=SEkwV+ilNl+x9eTDKU6tLKFTKdJv2OK2ROlV3Z4K0uY=
-uid=Linux+4.7.4-1-ARCH+x86_64+en_US+52817413
-bdate=736234
-save_view_mode=true
-save_when_connect=true
-survey=false
-invisible_toolbar=false
-floating_toolbar_placement=0
-toolbar_placement=3
-always_show_tab=true
-hide_connection_toolbar=false
-default_action=0
-scale_quality=3
-ssh_loglevel=1
-screenshot_path=/home/imalison/Pictures
-ssh_parseconfig=true
-hide_toolbar=false
-hide_statusbar=false
-small_toolbutton=false
-view_file_mode=0
-resolutions=640x480,800x600,1024x768,1152x864,1280x960,1400x1050
-keystrokes=Send hello world§hello world\\n
-main_width=668
-main_height=1321
-main_maximize=false
-main_sort_column_id=1
-main_sort_order=0
-expanded_group=
-toolbar_pin_down=false
-sshtunnel_port=4732
-applet_new_ontop=false
-applet_hide_count=false
-applet_enable_avahi=false
-disable_tray_icon=false
-dark_tray_icon=false
-recent_maximum=10
-default_mode=0
-tab_mode=0
-show_buttons_icons=0
-show_menu_icons=0
-auto_scroll_step=10
-hostkey=65508
-shortcutkey_fullscreen=102
-shortcutkey_autofit=49
-shortcutkey_nexttab=65363
-shortcutkey_prevtab=65361
-shortcutkey_scale=115
-shortcutkey_grab=65508
-shortcutkey_screenshot=65481
-shortcutkey_minimize=65478
-shortcutkey_disconnect=65473
-shortcutkey_toolbar=116
-vte_font=
-vte_allow_bold_text=true
-vte_lines=512
-vte_system_colors=false
-vte_foreground_color=rgb(192,192,192)
-vte_background_color=rgb(0,0,0)
-rdp_use_client_keymap=0
-rdp_quality_0=6F
-rdp_quality_1=7
-rdp_quality_2=1
-rdp_quality_9=80
-datadir_path=
-remmina_file_name=%G_%P_%N_%h
-screenshot_name=remmina_%p_%h_%Y%m%d-%H%M%S
-deny_screenshot_clipboard=true
-confirm_close=true
-use_primary_password=false
-unlock_timeout=300
-unlock_password=
-lock_connect=false
-lock_edit=false
-lock_view_passwords=false
-enc_mode=1
-audit=false
-trust_all=false
-prevent_snap_welcome_message=false
-last_quickconnect_protocol=
-fullscreen_on_auto=true
-always_show_notes=false
-hide_searchbar=false
-ssh_tcp_keepidle=20
-ssh_tcp_keepintvl=10
-ssh_tcp_keepcnt=3
-ssh_tcp_usrtimeout=60000
-dark_theme=false
-fullscreen_toolbar_visibility=0
-shortcutkey_multimon=65365
-shortcutkey_viewonly=109
-vte_shortcutkey_copy=99
-vte_shortcutkey_paste=118
-vte_shortcutkey_select_all=97
-vte_shortcutkey_increase_font=65365
-vte_shortcutkey_decrease_font=65366
-vte_shortcutkey_search_text=103
-grab_color=#00ff00
-grab_color_switch=false
-
-[ssh_colors]
-background=#d5ccba
-cursor=#45373c
-cursor_foreground=#d5ccba
-highlight=#45373c
-highlight_foreground=#d5ccba
-colorBD=#45373c
-foreground=#45373c
-color0=#20111b
-color1=#be100e
-color2=#858162
-color3=#eaa549
-color4=#426a79
-color5=#97522c
-color6=#989a9c
-color7=#968c83
-color8=#5e5252
-color9=#be100e
-color10=#858162
-color11=#eaa549
-color12=#426a79
-color13=#97522c
-color14=#989a9c
-color15=#d5ccba
-
-[remmina]
-name=
-ignore-tls-errors=1
--- a/dotfiles/config/remmina/remmina.pref.example
+++ b/dotfiles/config/remmina/remmina.pref.example
@@ -0,0 +1,53 @@
+[remmina_pref]
+secret=
+uid=
+bdate=
+save_view_mode=true
+save_when_connect=true
+survey=false
+invisible_toolbar=false
+floating_toolbar_placement=0
+toolbar_placement=3
+always_show_tab=true
+hide_connection_toolbar=false
+default_action=0
+scale_quality=3
+ssh_loglevel=1
+screenshot_path=
+ssh_parseconfig=true
+hide_toolbar=false
+hide_statusbar=false
+small_toolbutton=false
+view_file_mode=0
+resolutions=640x480,800x600,1024x768,1152x864,1280x960,1400x1050
+main_width=0
+main_height=0
+main_maximize=false
+main_sort_column_id=1
+main_sort_order=0
+expanded_group=
+toolbar_pin_down=false
+sshtunnel_port=4732
+applet_new_ontop=false
+applet_hide_count=false
+applet_enable_avahi=false
+disable_tray_icon=false
+dark_tray_icon=false
+recent_maximum=10
+default_mode=0
+tab_mode=0
+show_buttons_icons=0
+show_menu_icons=0
+auto_scroll_step=10
+confirm_close=true
+use_primary_password=false
+unlock_timeout=300
+unlock_password=
+lock_connect=false
+lock_edit=false
+lock_view_passwords=false
+enc_mode=1
+audit=false
+trust_all=false
+prevent_snap_welcome_message=false
+last_quickconnect_protocol=
--- a/dotfiles/config/screencloud/ScreenCloud.conf.example
+++ b/dotfiles/config/screencloud/ScreenCloud.conf.example
@@ -4,9 +4,9 @@ first-run=false

 [account]
 email=IvanMalison@gmail.com
-logged-in=true
+logged-in=false
 token=
-token-secret=d3f4ef69df4242e9b10ca034b28f6831
+token-secret=

 [hotkeys]
 captureFullScreen=Shift+Alt+1
@@ -31,10 +31,10 @@ proxy-req-auth=false
 check-updates-automatically=true

 [uploaders]
-imgur\access-token=bcea050c708998597610f22a20c2121afa4cfad9
-imgur\anonymous=false
-imgur\copy-direct-link=false
-imgur\copy-link=true
-imgur\name-format=Screenshot at %H:%M:%S
-imgur\refresh-token=9890577aa0486ecb5ddc5a04cf9ceb0228e91b26
-imgur\username=
+imgur\\access-token=
+imgur\\anonymous=false
+imgur\\copy-direct-link=false
+imgur\\copy-link=true
+imgur\\name-format=Screenshot at %H:%M:%S
+imgur\\refresh-token=
+imgur\\username=
--- a/nix-darwin/flake.nix
+++ b/nix-darwin/flake.nix
@@ -49,7 +49,9 @@
          enable = true;
          name = config.networking.hostName;
          url = "https://dev.railbird.ai";
-          token = "H0A7YXAWsKSp9QzvMymfJI12hbxwR7UerEHpCJUe";
+          # Keep the runner registration token out of git.
+          # Create this file on the machine before the runner is (re)registered.
+          tokenFile = "/var/lib/gitea-runner/nix/token";
          labels = [
            "nix-darwin-${pkgs.system}:host"
            "macos-aarch64-darwin"
--- a/nix-darwin/gitea-actions-runner.nix
+++ b/nix-darwin/gitea-actions-runner.nix
@@ -18,6 +18,10 @@ with lib; let
  tokenXorTokenFile = instance:
    (instance.token == null && instance.tokenFile != null)
    || (instance.token != null && instance.tokenFile == null);
+
+  # Render a tokenFile (path or string) into the shell snippet used by launchd.
+  tokenFilePath = instance:
+    if instance.tokenFile == null then null else toString instance.tokenFile;
 in {
  options.services.gitea-actions-runner = {
    package = mkOption {
@@ -154,6 +158,11 @@ in {
                  "${pkgs.writeShellScript "gitea-runner-setup-${name}" ''
                    mkdir -p /var/lib/gitea-runner/${name}
                    cd /var/lib/gitea-runner/${name}
+                    ${
+                      if instance.tokenFile != null then ''
+                        TOKEN="$(${pkgs.coreutils}/bin/cat ${escapeShellArg (tokenFilePath instance)})"
+                      '' else ""
+                    }
                    if [ ! -e "/var/lib/gitea-runner/${name}/.runner" ]; then
                        ${cfg.package}/bin/act_runner register --no-interactive \
                        --instance ${escapeShellArg instance.url} \
--- a/nixos/dotfiles-links.nix
+++ b/nixos/dotfiles-links.nix
@@ -62,4 +62,3 @@ in
      ".emacs.d".source = oos "${worktreeDotfiles}/emacs.d";
    };
 }
-
--- a/nixos/secrets.nix
+++ b/nixos/secrets.nix
@@ -7,7 +7,6 @@
    ];
    age.secrets.gpg-keys.file = ./secrets/gpg-keys.age;
    age.secrets.gpg-passphrase.file = ./secrets/gpg-passphrase.age;
-
    systemd.user.services.import-gpg-key = {
      Unit = {
        Description = "Import GPG private key";
--- a/org-agenda-api/deploy.sh
+++ b/org-agenda-api/deploy.sh
@@ -71,7 +71,7 @@ echo "  dotfiles:       $DOTFILES_REV"
 echo "Building container from flake..."
 nix build "$NIXOS_DIR#${INSTANCE}-org-agenda-api" -o "result-${INSTANCE}-org-agenda-api" --refresh \
  --option extra-substituters "https://org-agenda-api.cachix.org" \
-  --option extra-trusted-public-keys "org-agenda-api.cachix.org-1:MzzlSeQpJ/erP9/qYU6EiS4LM4AHA/mpc8s4thtEvNI="
+  --option extra-trusted-public-keys "org-agenda-api.cachix.org-1:MzzlSeQpJ/erP9/qYU6EiS4LM4AHA/mpc8s4thtEvNI=" # gitleaks:allow

 # Load into Docker
 echo "Loading container into Docker..."
--- a/org-agenda-api/justfile
+++ b/org-agenda-api/justfile
@@ -5,23 +5,23 @@ user := "imalison"

 # Get all todos
 get-all-todos:
-    @curl -s -u "{{user}}:$(pass show org-agenda-api/imalison | head -1)" "{{base_url}}/get-all-todos" | jq .
+    @curl -s -u "{{user}}:$(pass show org-agenda-api/imalison | head -1)" "{{base_url}}/get-all-todos" | jq . # gitleaks:allow

 # Get today's agenda
 get-todays-agenda:
-    @curl -s -u "{{user}}:$(pass show org-agenda-api/imalison | head -1)" "{{base_url}}/get-todays-agenda" | jq .
+    @curl -s -u "{{user}}:$(pass show org-agenda-api/imalison | head -1)" "{{base_url}}/get-todays-agenda" | jq . # gitleaks:allow

 # Get agenda (day view)
 agenda:
-    @curl -s -u "{{user}}:$(pass show org-agenda-api/imalison | head -1)" "{{base_url}}/agenda" | jq .
+    @curl -s -u "{{user}}:$(pass show org-agenda-api/imalison | head -1)" "{{base_url}}/agenda" | jq . # gitleaks:allow

 # Get agenda files
 agenda-files:
-    @curl -s -u "{{user}}:$(pass show org-agenda-api/imalison | head -1)" "{{base_url}}/agenda-files" | jq .
+    @curl -s -u "{{user}}:$(pass show org-agenda-api/imalison | head -1)" "{{base_url}}/agenda-files" | jq . # gitleaks:allow

 # Get todo states
 todo-states:
-    @curl -s -u "{{user}}:$(pass show org-agenda-api/imalison | head -1)" "{{base_url}}/todo-states" | jq .
+    @curl -s -u "{{user}}:$(pass show org-agenda-api/imalison | head -1)" "{{base_url}}/todo-states" | jq . # gitleaks:allow

 # Health check
 health:
@@ -29,6 +29,7 @@ health:

 # Create a todo
 create-todo title:
+    # gitleaks:allow
    @curl -s -X POST -u "{{user}}:$(pass show org-agenda-api/imalison | head -1)" \
        -H "Content-Type: application/json" \
        -d '{"title": "{{title}}"}' \