From 07dbe83f52e44f099600691439f1db18fcdbee71 Mon Sep 17 00:00:00 2001
From: rain <rain@melonbread.xyz>
Date: Mon, 22 Jun 2026 00:44:51 -0400
Subject: [PATCH] Fix omp zai.key encryption: use proper chezmoi 'encrypted_'
 attribute

The previous approach (private_dot_omp/agent/zai.key.age + manual
re-encryption) didn't work because:
1. The 'private_' prefix is for files NOT to push to remote, not for
   encrypted files. The 'encrypted_' prefix is what chezmoi recognizes
   as an encryption marker.
2. The encrypted file needs to be at dot_<path>/encrypted_<name>.age
   so chezmoi can both decrypt on apply AND strip the .age suffix
   to write the destination file as <name> (without .age).

Also fix chezmoi age config to actually decrypt non-interactively:
- Add useBuiltinAge: false to force external age binary
- Add age.command: /usr/bin/age (absolute path) so PATH issues
  don't matter in non-interactive SSH contexts

The encrypted file is at dot_omp/agent/encrypted_zai.key.age, decrypts
to ~/.omp/agent/zai.key on apply. Encrypted to all 6 recipients
(recovery + miche + byte + kaiser + rye + crouton).

Tested on miche:
  - chezmoi apply: rc=0
  - live zai.key: 50 bytes (correct content)
  - decrypts with miche per-machine key
  - would decrypt on other boxes with their respective keys
---
 .chezmoi.yaml.tmpl                            | 10 ++++++++++
 {private_dot_omp => dot_omp}/agent/config.yml |  0
 dot_omp/agent/encrypted_zai.key.age           | 18 ++++++++++++++++++
 {private_dot_omp => dot_omp}/agent/mcp.json   |  0
 private_dot_omp/agent/zai.key.age             | 18 ------------------
 5 files changed, 28 insertions(+), 18 deletions(-)
 rename {private_dot_omp => dot_omp}/agent/config.yml (100%)
 create mode 100644 dot_omp/agent/encrypted_zai.key.age
 rename {private_dot_omp => dot_omp}/agent/mcp.json (100%)
 delete mode 100644 private_dot_omp/agent/zai.key.age

diff --git a/.chezmoi.yaml.tmpl b/.chezmoi.yaml.tmpl
index b792f63..a8b4a2a 100644
--- a/.chezmoi.yaml.tmpl
+++ b/.chezmoi.yaml.tmpl
@@ -9,6 +9,11 @@
   {{- $osFamily = "debian" -}}
 {{- end -}}
 encryption: "age"
+# chezmoi's builtin age implementation requires a TTY for passphrase-style
+# decryption prompts and doesn't support all features. Force the external
+# age binary instead. If chezmoi can't find `age` on PATH at apply time,
+# the absolute path is used as a fallback.
+useBuiltinAge: false
 sourceDir: {{ .chezmoi.sourceDir | quote }}
 
 # age config — see https://www.chezmoi.io/user-guide/encryption/age/
@@ -28,6 +33,11 @@ sourceDir: {{ .chezmoi.sourceDir | quote }}
 #   chezmoi uses ~/.config/chezmoi/key.txt (per-machine) by default.
 
 age:
+    # Absolute path to age binary. Most distros install to /usr/bin/age;
+    # Arch's pacman and Debian's apt both put it there. Using the absolute
+    # path means chezmoi can find age even if PATH isn't set correctly
+    # (which happens in some non-interactive SSH contexts).
+    command: "/usr/bin/age"
     identity: "~/.config/chezmoi/key.txt"
 
     # Multiple recipients: every listed recipient can decrypt every *.age file.
diff --git a/private_dot_omp/agent/config.yml b/dot_omp/agent/config.yml
similarity index 100%
rename from private_dot_omp/agent/config.yml
rename to dot_omp/agent/config.yml
diff --git a/dot_omp/agent/encrypted_zai.key.age b/dot_omp/agent/encrypted_zai.key.age
new file mode 100644
index 0000000..a502dda
--- /dev/null
+++ b/dot_omp/agent/encrypted_zai.key.age
@@ -0,0 +1,18 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBja210UjFyaUdtSkw2M25G
+WWJ2N3ptejFCRGdMSFVnVk1IUjdxVkIzUldrClR6MjJraThHOFUzTklxZDFIM09B
+QzdsVVpHNFpaaVpJeUJNNVNtOUlGUlkKLT4gWDI1NTE5IDVWN1JjeGV1ZjFJUXNo
+bFRmdGd4WTFRZDBhaDBXQVliWVVacUUyemIvaXMKRksrOWwzUk8rY2hJcUN0enpW
+NXUvdHEvREVHRjFwQ0lmZkdzY2pDVE1lcwotPiBYMjU1MTkgQm9OYzVSWmpKc08x
+NGdjVWZFcS9GV253Q0k4RzVBK3JzSmRHU1gyWC95WQpsL3M0aEozcGI2RFpmNE50
+SFE0bTJnRnpQOXI0M2pSR2pGWEV4QnJMTTdNCi0+IFgyNTUxOSBBZ1I0TGhqY044
+bndZaVdSaW51c2ljc1l4ckV4N3haNStvaHRsNGpsV2lJCjBJNFhySUwxM2toSXVD
+ZkZEYkZzMXd6Mk0ycEdwRVZDcWg3djY5ZWF1QVEKLT4gWDI1NTE5IDdmQjB3RU05
+cFM0VTBzWUl0dVZwWVlKUmhDbmlwY0ZKbFdpTWIyRnZLbTgKVWFRejdvL1VEeHp0
+SnZ1YWJKQ3lSR1owTjdTUUt5Q0lKQjFEZkI2WW8xVQotPiBYMjU1MTkgUW5ZMWZC
+MTJBNGovTERvZXBXS2dSVVlYSW5heWQ3MTZBbWVYNmpmSWpFRQpoV2xsL3BUL1JK
+cXQvL0s0SGZ1ZzZESUZoZXJ5VzNVazJKWkxYMkJoZWhNCi0tLSBSa3VaNUNIOTgw
+VUFUZE41MWk2NEZrVE5xREc2NUVrd3hsOU15K0xxNm9rCuSszdd/l0WSCvWGiyJe
+w4fB7uhKLWBX1t+OByoNnh/ZImiRkGXOk/BiX3VaCn9tB5KigWzR+n6RhpepNVMf
+4Ouir24gMu+UIYo8NoYjHvxKuzg=
+-----END AGE ENCRYPTED FILE-----
diff --git a/private_dot_omp/agent/mcp.json b/dot_omp/agent/mcp.json
similarity index 100%
rename from private_dot_omp/agent/mcp.json
rename to dot_omp/agent/mcp.json
diff --git a/private_dot_omp/agent/zai.key.age b/private_dot_omp/agent/zai.key.age
deleted file mode 100644
index 6f4f6c4..0000000
--- a/private_dot_omp/agent/zai.key.age
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpOHNWNTI4K0dVZnV6TEpw
-bTA4cURyTHNZdU5uZ1pBN1UvaDlpYXg0OWw0ClZkTGN1S1JrTExVbURMbWI5bDNr
-L2habmpSWW93NXZRMVpvNERWUnJDK0UKLT4gWDI1NTE5IE16SWxTNlFvcHhxckN0
-YlhKYnFVQ1BsTTEvTzJTKzQ0VVNqaEFYMUZLUm8KK2RVcGZudjJUdlkvRUdvZ3Fn
-bUF6c1AyQ0NPdWZRVTJSYzRpQUpBdTllcwotPiBYMjU1MTkgK0hKcHVYMXJ1NXNB
-cEVJR2J3dEtWY05qTGJ4SzkyYVY2Q1djVTlESlNoUQo3UVJ1SDlrVkVQSG1nSXUr
-dHlOeEE1RjhWUDlKMHl1MTlNWjlvaWtEMGtZCi0+IFgyNTUxOSB4SE44SWk1QVdw
-VkFac3RhbW1vdHdwVUtpTGZFYkpkTCs0cnRHMWhUN1NnClFvVEhENzZTS2dzem9u
-cS9TakxwS01FZDdjY29McE9pTng3cTgxeVVVckEKLT4gWDI1NTE5IFQwQ0xNT0Qz
-a2tGUmdWOFNKRGwveW54Wi9zbUZZZi9MQU43bnNBYnRDR1UKejNZWDVCMEJRTjlC
-dktwc1lFR1RsNk9wZkY3eG5pY2ZvTFVtb2d6SlJrRQotPiBYMjU1MTkgbkM4cUZD
-eDlDUGZXNE1pKzVWRzdnMTU2NjNmSlA1Y1d3WDZOOE1Fb1BsRQp2OUVmOWRXZ1Ju
-Uzc4eGF1L3A4R2w1bUY2OXZCVVdrMkxjZ2xxMjVWTGNZCi0tLSBnRzJRZ2xzb1dr
-M3Q1Zjg5dkVPdnI0dEZuNUZpU3BFOVUxckNpTlg2S2drCqbNOobTCfj1kViqGBp8
-CVfJCZbRpiDxi+MJlAjUQbCjrL6+4sHUTEwwV24DbcPFi1Jv8QRxEj7/iyCZS09q
-o8iXjo/bHLWFGmfofx+LFKp64ts=
------END AGE ENCRYPTED FILE-----