Fix omp zai.key encryption: use proper chezmoi 'encrypted_' attribute

The previous approach (private_dot_omp/agent/zai.key.age + manual re-encryption) didn't work because: 1. The 'private_' prefix is for files NOT to push to remote, not for encrypted files. The 'encrypted_' prefix is what chezmoi recognizes as an encryption marker. 2. The encrypted file needs to be at dot_<path>/encrypted_<name>.age so chezmoi can both decrypt on apply AND strip the .age suffix to write the destination file as <name> (without .age). Also fix chezmoi age config to actually decrypt non-interactively: - Add useBuiltinAge: false to force external age binary - Add age.command: /usr/bin/age (absolute path) so PATH issues don't matter in non-interactive SSH contexts The encrypted file is at dot_omp/agent/encrypted_zai.key.age, decrypts to ~/.omp/agent/zai.key on apply. Encrypted to all 6 recipients (recovery + miche + byte + kaiser + rye + crouton). Tested on miche: - chezmoi apply: rc=0 - live zai.key: 50 bytes (correct content) - decrypts with miche per-machine key - would decrypt on other boxes with their respective keys
2026-06-22 00:44:51 -04:00 · 2026-06-22 00:44:51 -04:00 · 07dbe83f52
commit 07dbe83f52
parent 2b06a60d00
5 changed files with 28 additions and 18 deletions
--- a/.chezmoi.yaml.tmpl
+++ b/.chezmoi.yaml.tmpl
@ -9,6 +9,11 @@
  {{- $osFamily = "debian" -}}
 {{- end -}}
 encryption: "age"
+# chezmoi's builtin age implementation requires a TTY for passphrase-style
+# decryption prompts and doesn't support all features. Force the external
+# age binary instead. If chezmoi can't find `age` on PATH at apply time,
+# the absolute path is used as a fallback.
+useBuiltinAge: false
 sourceDir: {{ .chezmoi.sourceDir | quote }}

 # age config — see https://www.chezmoi.io/user-guide/encryption/age/
@ -28,6 +33,11 @@ sourceDir: {{ .chezmoi.sourceDir | quote }}
 #   chezmoi uses ~/.config/chezmoi/key.txt (per-machine) by default.

 age:
+    # Absolute path to age binary. Most distros install to /usr/bin/age;
+    # Arch's pacman and Debian's apt both put it there. Using the absolute
+    # path means chezmoi can find age even if PATH isn't set correctly
+    # (which happens in some non-interactive SSH contexts).
+    command: "/usr/bin/age"
    identity: "~/.config/chezmoi/key.txt"

    # Multiple recipients: every listed recipient can decrypt every *.age file.
--- a/private_dot_omp/agent/config.yml
+++ b/private_dot_omp/agent/config.yml
--- a/dot_omp/agent/encrypted_zai.key.age
+++ b/dot_omp/agent/encrypted_zai.key.age
@ -0,0 +1,18 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBja210UjFyaUdtSkw2M25G
+WWJ2N3ptejFCRGdMSFVnVk1IUjdxVkIzUldrClR6MjJraThHOFUzTklxZDFIM09B
+QzdsVVpHNFpaaVpJeUJNNVNtOUlGUlkKLT4gWDI1NTE5IDVWN1JjeGV1ZjFJUXNo
+bFRmdGd4WTFRZDBhaDBXQVliWVVacUUyemIvaXMKRksrOWwzUk8rY2hJcUN0enpW
+NXUvdHEvREVHRjFwQ0lmZkdzY2pDVE1lcwotPiBYMjU1MTkgQm9OYzVSWmpKc08x
+NGdjVWZFcS9GV253Q0k4RzVBK3JzSmRHU1gyWC95WQpsL3M0aEozcGI2RFpmNE50
+SFE0bTJnRnpQOXI0M2pSR2pGWEV4QnJMTTdNCi0+IFgyNTUxOSBBZ1I0TGhqY044
+bndZaVdSaW51c2ljc1l4ckV4N3haNStvaHRsNGpsV2lJCjBJNFhySUwxM2toSXVD
+ZkZEYkZzMXd6Mk0ycEdwRVZDcWg3djY5ZWF1QVEKLT4gWDI1NTE5IDdmQjB3RU05
+cFM0VTBzWUl0dVZwWVlKUmhDbmlwY0ZKbFdpTWIyRnZLbTgKVWFRejdvL1VEeHp0
+SnZ1YWJKQ3lSR1owTjdTUUt5Q0lKQjFEZkI2WW8xVQotPiBYMjU1MTkgUW5ZMWZC
+MTJBNGovTERvZXBXS2dSVVlYSW5heWQ3MTZBbWVYNmpmSWpFRQpoV2xsL3BUL1JK
+cXQvL0s0SGZ1ZzZESUZoZXJ5VzNVazJKWkxYMkJoZWhNCi0tLSBSa3VaNUNIOTgw
+VUFUZE41MWk2NEZrVE5xREc2NUVrd3hsOU15K0xxNm9rCuSszdd/l0WSCvWGiyJe
+w4fB7uhKLWBX1t+OByoNnh/ZImiRkGXOk/BiX3VaCn9tB5KigWzR+n6RhpepNVMf
+4Ouir24gMu+UIYo8NoYjHvxKuzg=
+-----END AGE ENCRYPTED FILE-----
--- a/private_dot_omp/agent/mcp.json
+++ b/private_dot_omp/agent/mcp.json
--- a/private_dot_omp/agent/zai.key.age
+++ b/private_dot_omp/agent/zai.key.age
@ -1,18 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpOHNWNTI4K0dVZnV6TEpw
-bTA4cURyTHNZdU5uZ1pBN1UvaDlpYXg0OWw0ClZkTGN1S1JrTExVbURMbWI5bDNr
-L2habmpSWW93NXZRMVpvNERWUnJDK0UKLT4gWDI1NTE5IE16SWxTNlFvcHhxckN0
-YlhKYnFVQ1BsTTEvTzJTKzQ0VVNqaEFYMUZLUm8KK2RVcGZudjJUdlkvRUdvZ3Fn
-bUF6c1AyQ0NPdWZRVTJSYzRpQUpBdTllcwotPiBYMjU1MTkgK0hKcHVYMXJ1NXNB
-cEVJR2J3dEtWY05qTGJ4SzkyYVY2Q1djVTlESlNoUQo3UVJ1SDlrVkVQSG1nSXUr
-dHlOeEE1RjhWUDlKMHl1MTlNWjlvaWtEMGtZCi0+IFgyNTUxOSB4SE44SWk1QVdw
-VkFac3RhbW1vdHdwVUtpTGZFYkpkTCs0cnRHMWhUN1NnClFvVEhENzZTS2dzem9u
-cS9TakxwS01FZDdjY29McE9pTng3cTgxeVVVckEKLT4gWDI1NTE5IFQwQ0xNT0Qz
-a2tGUmdWOFNKRGwveW54Wi9zbUZZZi9MQU43bnNBYnRDR1UKejNZWDVCMEJRTjlC
-dktwc1lFR1RsNk9wZkY3eG5pY2ZvTFVtb2d6SlJrRQotPiBYMjU1MTkgbkM4cUZD
-eDlDUGZXNE1pKzVWRzdnMTU2NjNmSlA1Y1d3WDZOOE1Fb1BsRQp2OUVmOWRXZ1Ju
-Uzc4eGF1L3A4R2w1bUY2OXZCVVdrMkxjZ2xxMjVWTGNZCi0tLSBnRzJRZ2xzb1dr
-M3Q1Zjg5dkVPdnI0dEZuNUZpU3BFOVUxckNpTlg2S2drCqbNOobTCfj1kViqGBp8
-CVfJCZbRpiDxi+MJlAjUQbCjrL6+4sHUTEwwV24DbcPFi1Jv8QRxEj7/iyCZS09q
-o8iXjo/bHLWFGmfofx+LFKp64ts=
-----END AGE ENCRYPTED FILE-----