rain/gnu-plus-dotfiles
rain/gnu-plus-dotfiles
1
0
Fork 0
Code Wiki Activity

Fix omp zai.key encryption: use proper chezmoi 'encrypted_' attribute

Browse source 
The previous approach (private_dot_omp/agent/zai.key.age + manual
re-encryption) didn't work because:
1. The 'private_' prefix is for files NOT to push to remote, not for
   encrypted files. The 'encrypted_' prefix is what chezmoi recognizes
   as an encryption marker.
2. The encrypted file needs to be at dot_<path>/encrypted_<name>.age
   so chezmoi can both decrypt on apply AND strip the .age suffix
   to write the destination file as <name> (without .age).

Also fix chezmoi age config to actually decrypt non-interactively:
- Add useBuiltinAge: false to force external age binary
- Add age.command: /usr/bin/age (absolute path) so PATH issues
  don't matter in non-interactive SSH contexts

The encrypted file is at dot_omp/agent/encrypted_zai.key.age, decrypts
to ~/.omp/agent/zai.key on apply. Encrypted to all 6 recipients
(recovery + miche + byte + kaiser + rye + crouton).

Tested on miche:
  - chezmoi apply: rc=0
  - live zai.key: 50 bytes (correct content)
  - decrypts with miche per-machine key
  - would decrypt on other boxes with their respective keys
This commit is contained in:
Rain 2026-06-22 00:44:51 -04:00
parent 2b06a60d00
commit 07dbe83f52
5 changed files with 28 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

10
.chezmoi.yaml.tmpl
View file

@ -9,6 +9,11 @@
{{- $osFamily = "debian" -}} {{- $osFamily = "debian" -}}
{{- end -}} {{- end -}}
encryption: "age" encryption: "age"
# chezmoi's builtin age implementation requires a TTY for passphrase-style
# decryption prompts and doesn't support all features. Force the external
# age binary instead. If chezmoi can't find `age` on PATH at apply time,
# the absolute path is used as a fallback.
useBuiltinAge: false
sourceDir: {{ .chezmoi.sourceDir | quote }} sourceDir: {{ .chezmoi.sourceDir | quote }}
# age config — see https://www.chezmoi.io/user-guide/encryption/age/ # age config — see https://www.chezmoi.io/user-guide/encryption/age/
@ -28,6 +33,11 @@ sourceDir: {{ .chezmoi.sourceDir | quote }}
# chezmoi uses ~/.config/chezmoi/key.txt (per-machine) by default. # chezmoi uses ~/.config/chezmoi/key.txt (per-machine) by default.
age: age:
# Absolute path to age binary. Most distros install to /usr/bin/age;
# Arch's pacman and Debian's apt both put it there. Using the absolute
# path means chezmoi can find age even if PATH isn't set correctly
# (which happens in some non-interactive SSH contexts).
command: "/usr/bin/age"
identity: "~/.config/chezmoi/key.txt" identity: "~/.config/chezmoi/key.txt"
# Multiple recipients: every listed recipient can decrypt every *.age file. # Multiple recipients: every listed recipient can decrypt every *.age file.

0
private_dot_omp/agent/config.yml → dot_omp/agent/config.yml
View file

18
dot_omp/agent/encrypted_zai.key.age Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBja210UjFyaUdtSkw2M25G
WWJ2N3ptejFCRGdMSFVnVk1IUjdxVkIzUldrClR6MjJraThHOFUzTklxZDFIM09B
QzdsVVpHNFpaaVpJeUJNNVNtOUlGUlkKLT4gWDI1NTE5IDVWN1JjeGV1ZjFJUXNo
bFRmdGd4WTFRZDBhaDBXQVliWVVacUUyemIvaXMKRksrOWwzUk8rY2hJcUN0enpW
NXUvdHEvREVHRjFwQ0lmZkdzY2pDVE1lcwotPiBYMjU1MTkgQm9OYzVSWmpKc08x
NGdjVWZFcS9GV253Q0k4RzVBK3JzSmRHU1gyWC95WQpsL3M0aEozcGI2RFpmNE50
SFE0bTJnRnpQOXI0M2pSR2pGWEV4QnJMTTdNCi0+IFgyNTUxOSBBZ1I0TGhqY044
bndZaVdSaW51c2ljc1l4ckV4N3haNStvaHRsNGpsV2lJCjBJNFhySUwxM2toSXVD
ZkZEYkZzMXd6Mk0ycEdwRVZDcWg3djY5ZWF1QVEKLT4gWDI1NTE5IDdmQjB3RU05
cFM0VTBzWUl0dVZwWVlKUmhDbmlwY0ZKbFdpTWIyRnZLbTgKVWFRejdvL1VEeHp0
SnZ1YWJKQ3lSR1owTjdTUUt5Q0lKQjFEZkI2WW8xVQotPiBYMjU1MTkgUW5ZMWZC
MTJBNGovTERvZXBXS2dSVVlYSW5heWQ3MTZBbWVYNmpmSWpFRQpoV2xsL3BUL1JK
cXQvL0s0SGZ1ZzZESUZoZXJ5VzNVazJKWkxYMkJoZWhNCi0tLSBSa3VaNUNIOTgw
VUFUZE41MWk2NEZrVE5xREc2NUVrd3hsOU15K0xxNm9rCuSszdd/l0WSCvWGiyJe
w4fB7uhKLWBX1t+OByoNnh/ZImiRkGXOk/BiX3VaCn9tB5KigWzR+n6RhpepNVMf
4Ouir24gMu+UIYo8NoYjHvxKuzg=
-----END AGE ENCRYPTED FILE-----

0
private_dot_omp/agent/mcp.json → dot_omp/agent/mcp.json
View file

18
private_dot_omp/agent/zai.key.age
View file

@ -1,18 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpOHNWNTI4K0dVZnV6TEpw
bTA4cURyTHNZdU5uZ1pBN1UvaDlpYXg0OWw0ClZkTGN1S1JrTExVbURMbWI5bDNr
L2habmpSWW93NXZRMVpvNERWUnJDK0UKLT4gWDI1NTE5IE16SWxTNlFvcHhxckN0
YlhKYnFVQ1BsTTEvTzJTKzQ0VVNqaEFYMUZLUm8KK2RVcGZudjJUdlkvRUdvZ3Fn
bUF6c1AyQ0NPdWZRVTJSYzRpQUpBdTllcwotPiBYMjU1MTkgK0hKcHVYMXJ1NXNB
cEVJR2J3dEtWY05qTGJ4SzkyYVY2Q1djVTlESlNoUQo3UVJ1SDlrVkVQSG1nSXUr
dHlOeEE1RjhWUDlKMHl1MTlNWjlvaWtEMGtZCi0+IFgyNTUxOSB4SE44SWk1QVdw
VkFac3RhbW1vdHdwVUtpTGZFYkpkTCs0cnRHMWhUN1NnClFvVEhENzZTS2dzem9u
cS9TakxwS01FZDdjY29McE9pTng3cTgxeVVVckEKLT4gWDI1NTE5IFQwQ0xNT0Qz
a2tGUmdWOFNKRGwveW54Wi9zbUZZZi9MQU43bnNBYnRDR1UKejNZWDVCMEJRTjlC
dktwc1lFR1RsNk9wZkY3eG5pY2ZvTFVtb2d6SlJrRQotPiBYMjU1MTkgbkM4cUZD
eDlDUGZXNE1pKzVWRzdnMTU2NjNmSlA1Y1d3WDZOOE1Fb1BsRQp2OUVmOWRXZ1Ju
Uzc4eGF1L3A4R2w1bUY2OXZCVVdrMkxjZ2xxMjVWTGNZCi0tLSBnRzJRZ2xzb1dr
M3Q1Zjg5dkVPdnI0dEZuNUZpU3BFOVUxckNpTlg2S2drCqbNOobTCfj1kViqGBp8
CVfJCZbRpiDxi+MJlAjUQbCjrL6+4sHUTEwwV24DbcPFi1Jv8QRxEj7/iyCZS09q
o8iXjo/bHLWFGmfofx+LFKp64ts=
-----END AGE ENCRYPTED FILE-----