BIOS 2423→4101 update on yarn required an fTPM reset, which broke the
sealed age identity at /var/lib/agenix/tpm-identity. Bootstrapped a new
identity against the new SRK and rotated yarn's recipient.
age-plugin-tpm 1.0+ emits age1tag1… (p256tag) recipients by default and
refuses to encrypt to legacy age1tpm1… ones, so rotated mreow's recipient
to the same encoding (same key, new bech32 HRP) and added an
age-plugin-tag→age-plugin-tpm symlink in the rage wrapper so rage's
plugin dispatch finds the binary under the new prefix. Stripped the
trailing host labels from the tpm recipient strings — rage's stricter
bech32 parser now rejects the trailing whitespace; labels live in
adjacent Nix comments instead.
oo7-daemon was running but its 'Login' keyring stayed locked because
nothing supplied a master password, so libsecret clients (flare in
particular) blocked indefinitely on keyring.unlock().
The upstream user unit declares
ImportCredential=oo7.keyring-encryption-password
which picks up matching credentials from systemd's per-service
credential machinery. Wire LoadCredential=oo7.keyring-encryption-password
to the agenix-decrypted secret so the daemon unlocks at session start
without any prompt.
The password itself is a fresh 64-byte urandom value encrypted to all
desktop recipients (admin SSH key + mreow + yarn TPM identities); it's
opaque to the user and never typed manually. Owner is primary so the
user-scope unit's LoadCredential read works without elevating.
Verified the activation script chowns the decrypted file primary:users
mode 0400, the user unit override carries the LoadCredential line, and
the resulting drv builds clean.
- .gitattributes declares secrets/** covered by git-crypt filter
- New symmetric key at $HOME/.nixos-git-crypt.key (chmod 400, not committed)
- All 36 files under secrets/ re-encrypted via the clean filter on 'git add':
- 5 files in secrets/desktop/ (wifi, secureboot, disk pw, cache netrc, hash)
- 3 files in secrets/home/ (hm api keys + steam id)
- 26 files in secrets/server/ (.age + .nix + .tar + livekit_keys)
- 2 files in secrets/usb-secrets/ (agenix identity)
'git-crypt status' confirms 36 encrypted, 150 non-encrypted.
Old git-crypt keys from the two subtree-merged repos are in the historical subtree commits (pre-Phase 2). To decrypt pre-unify history one still needs the old GPG-encrypted keys, which survive at:
~/nixos-migration-aux-*.tar.gz
