rain/gnu-plus-dotfiles
rain/gnu-plus-dotfiles
1
0
Fork 0
Code Wiki Activity

Fix omp zai.key encryption: use proper chezmoi 'encrypted_' attribute

Browse source 
The previous approach (private_dot_omp/agent/zai.key.age + manual
re-encryption) didn't work because:
1. The 'private_' prefix is for files NOT to push to remote, not for
   encrypted files. The 'encrypted_' prefix is what chezmoi recognizes
   as an encryption marker.
2. The encrypted file needs to be at dot_<path>/encrypted_<name>.age
   so chezmoi can both decrypt on apply AND strip the .age suffix
   to write the destination file as <name> (without .age).

Also fix chezmoi age config to actually decrypt non-interactively:
- Add useBuiltinAge: false to force external age binary
- Add age.command: /usr/bin/age (absolute path) so PATH issues
  don't matter in non-interactive SSH contexts

The encrypted file is at dot_omp/agent/encrypted_zai.key.age, decrypts
to ~/.omp/agent/zai.key on apply. Encrypted to all 6 recipients
(recovery + miche + byte + kaiser + rye + crouton).

Tested on miche:
  - chezmoi apply: rc=0
  - live zai.key: 50 bytes (correct content)
  - decrypts with miche per-machine key
  - would decrypt on other boxes with their respective keys
This commit is contained in:
Rain 2026-06-22 00:44:51 -04:00
parent 2b06a60d00
commit 07dbe83f52
5 changed files with 28 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

10
.chezmoi.yaml.tmpl
View file

@ -9,6 +9,11 @@
{{- $osFamily = "debian" -}}
{{- end -}}
encryption: "age"
# chezmoi's builtin age implementation requires a TTY for passphrase-style
# decryption prompts and doesn't support all features. Force the external
# age binary instead. If chezmoi can't find `age` on PATH at apply time,
# the absolute path is used as a fallback.
useBuiltinAge: false
sourceDir: {{ .chezmoi.sourceDir | quote }}
# age config — see https://www.chezmoi.io/user-guide/encryption/age/
@ -28,6 +33,11 @@ sourceDir: {{ .chezmoi.sourceDir | quote }}
# chezmoi uses ~/.config/chezmoi/key.txt (per-machine) by default.
age:
# Absolute path to age binary. Most distros install to /usr/bin/age;
# Arch's pacman and Debian's apt both put it there. Using the absolute
# path means chezmoi can find age even if PATH isn't set correctly
# (which happens in some non-interactive SSH contexts).
command: "/usr/bin/age"
identity: "~/.config/chezmoi/key.txt"
# Multiple recipients: every listed recipient can decrypt every *.age file.