Problem
The SSH key files under home/dot_ssh/ are plain managed files with no host restriction, so every machine chezmoi apply runs on receives the neotrantor key pair in ~/.ssh/:
create_private_id_rsa.tmpl → ~/.ssh/id_rsacreate_id_rsa.pub.tmpl → ~/.ssh/id_rsa.pubcreate_private_id_ed25519.tmpl → ~/.ssh/id_ed25519create_id_ed25519.pub.tmpl → ~/.ssh/id_ed25519.pub
(They pull the neotrantor … items from the 1Password dotfiles vault.)
The only_when selector system only applies to the package data files, not to managed files like these — there is currently no hostname-based filter on them.
Impact
A machine's own SSH identity gets replaced by neotrantor's key. This already caused an accidental overwrite of another machine's private key (unrecoverable — chezmoi keeps no backup).
Current mitigation (partial)
The key sources were given the create_ attribute so chezmoi only writes them when the target is absent and never overwrites an existing key. This stops the clobbering, but a fresh host still gets neotrantor's key instead of its own identity — the keys still end up on hosts they don't belong to.
Desired
Restrict these keys to neotrantor only (and/or move to per-host keys). For managed files the mechanism is .chezmoiignore (it's templated), e.g. ignore the four .ssh/id_* paths on every host except the owner.
Blocker / note
.chezmoiignore would need a reliable hostname. .chezmoi.hostname is network-dependent on macOS, and home/.chezmoi.toml.tmpl already computes a stable $hostname via scutil --get ComputerName — but it is not exposed in [data] (only is_macos, is_work, etc. are). So step one is exporting that stable hostname as a data var, then .chezmoiignore can key off it.
Options
- Expose stable
hostname in [data], then .chezmoiignore the four .ssh/id_* paths on hosts other than neotrantor.
- Per-host keys: hostname-keyed 1Password items (e.g.
<hostname> id_ed25519 - encrypted) so each machine fetches its own.
Problem
The SSH key files under
home/dot_ssh/are plain managed files with no host restriction, so every machinechezmoi applyruns on receives the neotrantor key pair in~/.ssh/:create_private_id_rsa.tmpl→~/.ssh/id_rsacreate_id_rsa.pub.tmpl→~/.ssh/id_rsa.pubcreate_private_id_ed25519.tmpl→~/.ssh/id_ed25519create_id_ed25519.pub.tmpl→~/.ssh/id_ed25519.pub(They pull the
neotrantor …items from the 1Passworddotfilesvault.)The
only_whenselector system only applies to the package data files, not to managed files like these — there is currently no hostname-based filter on them.Impact
A machine's own SSH identity gets replaced by neotrantor's key. This already caused an accidental overwrite of another machine's private key (unrecoverable — chezmoi keeps no backup).
Current mitigation (partial)
The key sources were given the
create_attribute so chezmoi only writes them when the target is absent and never overwrites an existing key. This stops the clobbering, but a fresh host still gets neotrantor's key instead of its own identity — the keys still end up on hosts they don't belong to.Desired
Restrict these keys to
neotrantoronly (and/or move to per-host keys). For managed files the mechanism is.chezmoiignore(it's templated), e.g. ignore the four.ssh/id_*paths on every host except the owner.Blocker / note
.chezmoiignorewould need a reliable hostname..chezmoi.hostnameis network-dependent on macOS, andhome/.chezmoi.toml.tmplalready computes a stable$hostnameviascutil --get ComputerName— but it is not exposed in[data](onlyis_macos,is_work, etc. are). So step one is exporting that stable hostname as a data var, then.chezmoiignorecan key off it.Options
hostnamein[data], then.chezmoiignorethe four.ssh/id_*paths on hosts other than neotrantor.<hostname> id_ed25519 - encrypted) so each machine fetches its own.