Bootstrap setup with secrets and other information (think “opsec”)

[Jaharmi]

I’d like to use Chezmoi to manage dotfiles across multiple devices, and for personal and work (where permitted) situations. This will primarily be for macOS, but probably for Linux eventually.

Since the dotfiles are checked into a Git repo, I’d also like to avoid exposing actual secrets and also data about my various situations/devices/etc. Even with a hosted private repo, I think there are email addresses, account names, strings, file/directory paths, etc. that I’d just rather avoid potential exposure. Maybe just think of this as “opsec” for private / personal / non-public information.

I’ve been struggling with this idea, as I’ve been working on my dotfile repo, and getting to the point where I really need to figure out how to integrate some of this data I’d like to protect. Since dotfiles are dotfiles, I think the results on the device using Chezmoi will end up exposing that information anyway. Where possible, I’d still want to set up dotfiles and the software using them to use available secure/secret storage.

Questions:

What are ways to do this, at least with the information being committed to Git?

What can be done without installing additional dependencies (password managers, etc.)? In some situations, I can imagine the additional dependencies themselves would be either problematic or not permitted.

What can be done to bootstrap with just Chezmoi, then taking advantage of password managers (maybe starting with keyring for basic values in macOS keychain), and maybe expanding to something like 1Password for additional information?

Thanks for any help/ideas/advice.

[twpayne]

chezmoi add already scans for secrets from gitleaks.

[Jaharmi]

I wasn’t trying to prevent checking secrets or other info into the Chezmoi Git repo. I have an idea of what I want to avoid committing already.

I’m trying to figure out how I can either set up my config so that various pieces of information don’t need to be committed, or can be inserted from more secure storage. I’d like to start with something built-in (and which doesn’t introduce another dependency), like the macOS keychain, but maybe use that to get to other information in another personal password manager.

[twpayne]

You have read chezmoi's documentation on password manager intergration, right?