From 4f0b8325641716ea61447ebf5c33a13b204e1fe7 Mon Sep 17 00:00:00 2001
From: Ryan Walters <ryan@walters.to>
Date: Sun, 26 Oct 2025 19:29:48 -0500
Subject: [PATCH] refactor: migrate private domain and R2 credentials to
 Doppler

Migrate hardcoded encrypted files to centralized secret management:
- Replace encrypted domain file with Doppler variable PRIVATE_DOMAIN
- Remove encrypted R2 FUSE script and s3fs password files
- Update hishtory server configuration in commonrc.sh and install script
- Clean up .chezmoiignore for removed encrypted files

This consolidates secret management into Doppler, reducing the number of encrypted files in the repository while maintaining security.
---
 home/.chezmoiignore                              |  1 -
 home/.chezmoitemplates/scripts/commonrc.sh.tmpl  |  2 +-
 .../encrypted_executable_r2_fuse.sh.age          | 16 ----------------
 home/encrypted_domain.txt.age                    |  7 -------
 home/encrypted_private_dot_passwd-s3fs.age       |  9 ---------
 home/run_onchange_install-packages.sh.tmpl       |  2 +-
 6 files changed, 2 insertions(+), 35 deletions(-)
 delete mode 100644 home/dot_scripts/encrypted_executable_r2_fuse.sh.age
 delete mode 100644 home/encrypted_domain.txt.age
 delete mode 100644 home/encrypted_private_dot_passwd-s3fs.age

diff --git a/home/.chezmoiignore b/home/.chezmoiignore
index 07d1a91..d4ce8c6 100644
--- a/home/.chezmoiignore
+++ b/home/.chezmoiignore
@@ -25,7 +25,6 @@ tool-versions
 .profile
 .bash_aliases
 key.txt
-.passwd-s3fs.age
 .tmux.conf
 
 # Linux-only config directories
diff --git a/home/.chezmoitemplates/scripts/commonrc.sh.tmpl b/home/.chezmoitemplates/scripts/commonrc.sh.tmpl
index 55060e0..7a6d9ec 100644
--- a/home/.chezmoitemplates/scripts/commonrc.sh.tmpl
+++ b/home/.chezmoitemplates/scripts/commonrc.sh.tmpl
@@ -11,7 +11,7 @@ export TERM=xterm-256color  # fixes terminal colors when ssh'ing into laptop
 export OPENAI_API_KEY="{{ dopplerProjectJson.OPENAI_CHATGPT_CLI }}"
 
 # hishtory
-export HISHTORY_SERVER="https://hsh.{{ joinPath .chezmoi.sourceDir ".domain.age" | include | decrypt }}"
+export HISHTORY_SERVER="https://hsh.{{ dopplerProjectJson.PRIVATE_DOMAIN }}"
 export PATH="$PATH:$HOME/.hishtory"
 {{ if eq .shell "zsh" -}}
 source $HOME/.hishtory/config.zsh
diff --git a/home/dot_scripts/encrypted_executable_r2_fuse.sh.age b/home/dot_scripts/encrypted_executable_r2_fuse.sh.age
deleted file mode 100644
index 5cd7883..0000000
--- a/home/dot_scripts/encrypted_executable_r2_fuse.sh.age
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3aVFyd1pUOHpodWRhT1Yv
-RUlCYTArQmhoeldId0tsM3BVQTNrcGN4d0hjCldySE1zazkyRWp5T1pMcFFmVTRR
-bVlYbmFXT2xJY3R1VVBubmNaOXF6SEUKLS0tIEtab3M3WDhuWTg0dmdZQzNPUFJy
-L0VTa1VGYzJLMzAyNUtIWndLb3JaZTAKlgkKjqJKpmQl+HFUvKEt56mUJoUSGRtO
-ixZwSV+QuQ1bqZQHuWGQg5NcKz011xoemEnWbwc3sK/2xY1+Dp6B54bsbt8yhbr3
-182DS45TuJrNspSs+65dOvUxGdoJaEIlf5XmyfmyFMu9Lvfcc299HKZrSuDuZRoM
-xjJGwWnmFDsdniOS7yzC1Y15ptUxGllKSC8E+WWNsAcOmKpodTgruRW9sEn0hSIi
-Xor9D1W7W8uoHV3V5WEkTPBBtrTjzwxPjm0MSj9igml1BW22vqt4uDqhWqccJ84X
-FU7KJsmUy6KxKSzeGIesWhlR0tdrMshfZLgXECKTVDr5kMVsyi8PKhlX3XKljna8
-hiE9G3cm6LNpj9QeDxpNQmrilDk76j9TwK8u1CgGxlInjaRASHFP8d7x7JIxlUi4
-59g25VbBVBOeDL9nQcmXssin8gdAcK528aZOKdMTER7tgEqDEeEi4Cc+dzFYMI1X
-s62hLXLCAT7rlJHaaUf6zhoXBdQQka2wFLFKH0j1Y0jGM2pwseGOvHRLVWb8Jzty
-g0Vd42Tn8JqgkmCZlskB/Q3buScO8SuDKYypvIELtB3Rqw7VQwtcVqX/FjRLUYuE
-fXk3Vq5sAY5I6hUH
------END AGE ENCRYPTED FILE-----
diff --git a/home/encrypted_domain.txt.age b/home/encrypted_domain.txt.age
deleted file mode 100644
index 2401b99..0000000
--- a/home/encrypted_domain.txt.age
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxRkRzdi9vOXZDNkJHcXIr
-czB2SzhxdWhsSy9zbCs5L2txNXRpYm0waUVjCnRha0VmblBsTW40c1BUWmp4TGxk
-eGJXSFhxNDlZeTBLbUYzRTBwenlrMUUKLS0tIEJjNm1ZYzBTelhkTzB4ZnhMWHg2
-SGtJUGZoaitZMTZYbHMzZ0pRRFk0K2MKF/zTT3k3qDpyc48t7VImOtWKnhWkjUKh
-xLoFy9B+8X/ivtWpDJX1DFKym0YhYA==
------END AGE ENCRYPTED FILE-----
diff --git a/home/encrypted_private_dot_passwd-s3fs.age b/home/encrypted_private_dot_passwd-s3fs.age
deleted file mode 100644
index 473ac3d..0000000
--- a/home/encrypted_private_dot_passwd-s3fs.age
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQbDd1eVZrc0JTNFhsa0pP
-L1Z5aHlFMDUvMEFWMHh3aVRaMXFEZkNpTXk0CmRLbkEzTEdwQVhiQ1VjUzdMV1Z0
-Snp4enIvK1dLT3ZYMGY2MVRRYjcxN1EKLS0tIFl2ZmRRR1BHdlRaNEJJalByZXZW
-QTdLdVkyZUx5RiszdW0zNUVRTElhbmMKZGlUTMhPLtH6BJjPpcalIXMKJ4k4zBB+
-nUXRyTIEEYtVx9HUtJ2aQLtRAg52LWIF3/6yMeXc8/O/blm6sFQmaQky6R8/Itpv
-KBSSqzdecdYnyNE517APOU9xQISXUVE1wFOUK1ijOcBc1vnXNBhhhHtPEBC0nuQj
-ytwIUYV8dXQSHA==
------END AGE ENCRYPTED FILE-----
diff --git a/home/run_onchange_install-packages.sh.tmpl b/home/run_onchange_install-packages.sh.tmpl
index 6df0e12..8f89e5d 100644
--- a/home/run_onchange_install-packages.sh.tmpl
+++ b/home/run_onchange_install-packages.sh.tmpl
@@ -48,7 +48,7 @@ fi
 # Install hishtory
 if ! type -P hishtory; then
     echo "chezmoi: Installing hishtory"
-    export HISHTORY_SERVER="https://hsh.{{ joinPath .chezmoi.sourceDir ".domain.age" | include | decrypt }}"
+    export HISHTORY_SERVER="https://hsh.{{ dopplerProjectJson.PRIVATE_DOMAIN }}"
     export HISHTORY_SKIP_INIT_IMPORT='true'
     curl https://hishtory.dev/install.py | python3 - --offline --skip-config-modification
 fi