oo7-daemon was running but its 'Login' keyring stayed locked because
nothing supplied a master password, so libsecret clients (flare in
particular) blocked indefinitely on keyring.unlock().
The upstream user unit declares
ImportCredential=oo7.keyring-encryption-password
which picks up matching credentials from systemd's per-service
credential machinery. Wire LoadCredential=oo7.keyring-encryption-password
to the agenix-decrypted secret so the daemon unlocks at session start
without any prompt.
The password itself is a fresh 64-byte urandom value encrypted to all
desktop recipients (admin SSH key + mreow + yarn TPM identities); it's
opaque to the user and never typed manually. Owner is primary so the
user-scope unit's LoadCredential read works without elevating.
Verified the activation script chowns the decrypted file primary:users
mode 0400, the user unit override carries the LoadCredential line, and
the resulting drv builds clean.
Unified CI on nixos repo is proven end-to-end (CI run on 836f80a deployed to
muffin successfully and yarn's pull URL now serves from the new build). The
two per-repo git-crypt keys are no longer in use by any active pipeline.
Old dotfiles and server-config repos had Gitea Actions disabled before this
commit, so no CI race possible.
The two legacy entries git-crypt-key-{dotfiles,server-config} stay until
muffin has deployed this config at least once and the new CI pipeline is
green. Phase 6 removes them after cutover.
- .gitattributes declares secrets/** covered by git-crypt filter
- New symmetric key at $HOME/.nixos-git-crypt.key (chmod 400, not committed)
- All 36 files under secrets/ re-encrypted via the clean filter on 'git add':
- 5 files in secrets/desktop/ (wifi, secureboot, disk pw, cache netrc, hash)
- 3 files in secrets/home/ (hm api keys + steam id)
- 26 files in secrets/server/ (.age + .nix + .tar + livekit_keys)
- 2 files in secrets/usb-secrets/ (agenix identity)
'git-crypt status' confirms 36 encrypted, 150 non-encrypted.
Old git-crypt keys from the two subtree-merged repos are in the historical subtree commits (pre-Phase 2). To decrypt pre-unify history one still needs the old GPG-encrypted keys, which survive at:
~/nixos-migration-aux-*.tar.gz
