Fix omp zai.key encryption: use proper chezmoi 'encrypted_' attribute

The previous approach (private_dot_omp/agent/zai.key.age + manual re-encryption) didn't work because: 1. The 'private_' prefix is for files NOT to push to remote, not for encrypted files. The 'encrypted_' prefix is what chezmoi recognizes as an encryption marker. 2. The encrypted file needs to be at dot_<path>/encrypted_<name>.age so chezmoi can both decrypt on apply AND strip the .age suffix to write the destination file as <name> (without .age). Also fix chezmoi age config to actually decrypt non-interactively: - Add useBuiltinAge: false to force external age binary - Add age.command: /usr/bin/age (absolute path) so PATH issues don't matter in non-interactive SSH contexts The encrypted file is at dot_omp/agent/encrypted_zai.key.age, decrypts to ~/.omp/agent/zai.key on apply. Encrypted to all 6 recipients (recovery + miche + byte + kaiser + rye + crouton). Tested on miche: - chezmoi apply: rc=0 - live zai.key: 50 bytes (correct content) - decrypts with miche per-machine key - would decrypt on other boxes with their respective keys
2026-06-22 00:44:51 -04:00 · 2026-06-22 00:44:51 -04:00 · 07dbe83f52
commit 07dbe83f52
parent 2b06a60d00
5 changed files with 28 additions and 18 deletions
--- a/dot_omp/agent/config.yml
+++ b/dot_omp/agent/config.yml
@ -0,0 +1,65 @@
+providers: 
+  webSearch: searxng
+searxng: 
+  endpoint: http://kaiser.local:8800
+symbolPreset: nerd
+theme: 
+  dark: dark-gruvbox
+  light: light
+setupVersion: 1
+modelRoles: 
+  default: minimax-code/MiniMax-M3:high
+  task: llama-swap.miche/qwen3.6-27b-mtp-rocmfp4-turbo
+  smol: llama-swap.miche/qwen3.6-35b-a3b-mtp-rocmfp4
+  plan: zai-coding/glm-5.2:xhigh
+  slow: minimax-code/MiniMax-M3:high
+  vision: llama-swap.miche/gemma4-12b
+retry: 
+  fallbackChains: 
+    default: 
+      - zai-coding/glm-5.2
+      - minimax-code/MiniMax-M3
+      - deepseek/deepseek-v4-pro
+      - llama-swap.miche/qwen3.6-27b-mtp-rocmfp4-turbo
+      - llama-swap.byte/qwen3.6-27b-mtp
+    task: 
+      - llama-swap.miche/qwen3.6-27b-mtp-rocmfp4-turbo
+      - llama-swap.byte/qwen3.6-27b-mtp
+      - zai-coding/glm-5.2
+      - minimax-code/MiniMax-M3
+    smol: 
+      - llama-swap.miche/qwen3.6-35b-a3b-mtp-rocmfp4
+      - llama-swap.byte/qwen3.6-35b-a3b-mtp
+      - llama-swap.miche/qwen3.6-27b-mtp-rocmfp4-turbo
+      - zai-coding/glm-5.2
+      - minimax-code/MiniMax-M3
+    plan: 
+      - zai-coding/glm-5.2:xhigh
+      - minimax-code/minimax-code:xhigh
+      - deepseek/deepseek-v4-pro:xhigh
+      - llama-swap.miche/step-3.7-flash:high
+    slow: 
+      - zai-coding/glm-5.2
+      - minimax-code/minimax-code
+      - deepseek/deepseek-v4-pro
+      - llama-swap.miche/step-3.7-flash
+    vision: 
+      - llama-swap.miche/gemma4-12b
+      - llama-swap.byte/gemma-4-12b-heretic
+      - llama-swap.miche/qwen3.6-27b-mtp-rocmfp4-turbo
+tools: 
+  approvalMode: yolo
+memory: 
+  backend: "off"
+github: 
+  enabled: true
+statusLine: 
+  preset: default
+  separator: powerline
+  transparent: true
+tui: 
+  textSizing: false
+defaultThinkingLevel: high
+personality: pragmatic
+hideThinkingBlock: true
+readLineNumbers: true
--- a/dot_omp/agent/encrypted_zai.key.age
+++ b/dot_omp/agent/encrypted_zai.key.age
@ -0,0 +1,18 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBja210UjFyaUdtSkw2M25G
+WWJ2N3ptejFCRGdMSFVnVk1IUjdxVkIzUldrClR6MjJraThHOFUzTklxZDFIM09B
+QzdsVVpHNFpaaVpJeUJNNVNtOUlGUlkKLT4gWDI1NTE5IDVWN1JjeGV1ZjFJUXNo
+bFRmdGd4WTFRZDBhaDBXQVliWVVacUUyemIvaXMKRksrOWwzUk8rY2hJcUN0enpW
+NXUvdHEvREVHRjFwQ0lmZkdzY2pDVE1lcwotPiBYMjU1MTkgQm9OYzVSWmpKc08x
+NGdjVWZFcS9GV253Q0k4RzVBK3JzSmRHU1gyWC95WQpsL3M0aEozcGI2RFpmNE50
+SFE0bTJnRnpQOXI0M2pSR2pGWEV4QnJMTTdNCi0+IFgyNTUxOSBBZ1I0TGhqY044
+bndZaVdSaW51c2ljc1l4ckV4N3haNStvaHRsNGpsV2lJCjBJNFhySUwxM2toSXVD
+ZkZEYkZzMXd6Mk0ycEdwRVZDcWg3djY5ZWF1QVEKLT4gWDI1NTE5IDdmQjB3RU05
+cFM0VTBzWUl0dVZwWVlKUmhDbmlwY0ZKbFdpTWIyRnZLbTgKVWFRejdvL1VEeHp0
+SnZ1YWJKQ3lSR1owTjdTUUt5Q0lKQjFEZkI2WW8xVQotPiBYMjU1MTkgUW5ZMWZC
+MTJBNGovTERvZXBXS2dSVVlYSW5heWQ3MTZBbWVYNmpmSWpFRQpoV2xsL3BUL1JK
+cXQvL0s0SGZ1ZzZESUZoZXJ5VzNVazJKWkxYMkJoZWhNCi0tLSBSa3VaNUNIOTgw
+VUFUZE41MWk2NEZrVE5xREc2NUVrd3hsOU15K0xxNm9rCuSszdd/l0WSCvWGiyJe
+w4fB7uhKLWBX1t+OByoNnh/ZImiRkGXOk/BiX3VaCn9tB5KigWzR+n6RhpepNVMf
+4Ouir24gMu+UIYo8NoYjHvxKuzg=
+-----END AGE ENCRYPTED FILE-----
--- a/dot_omp/agent/mcp.json
+++ b/dot_omp/agent/mcp.json
@ -0,0 +1,13 @@
+{
+  "$schema": "https://raw.githubusercontent.com/can1357/oh-my-pi/main/packages/coding-agent/src/config/mcp-schema.json",
+  "mcpServers": {
+    "firecrawl": {
+      "command": "npx",
+      "args": ["-y", "firecrawl-mcp"],
+      "env": {
+        "FIRECRAWL_API_KEY": "123",
+        "FIRECRAWL_API_URL": "http://bazzite.local:3002"
+      }
+    }
+  }
+}