2025-03-15 22:43:03 -04:00
33 changed files with 630 additions and 564 deletions
--- a/.github/settings.yml
+++ b/.github/settings.yml
@ -4,60 +4,44 @@ repository:
    # The name of the repository. Changing this will rename the repository
    name: nix-dotfiles
    # A short description of the repository that will show up on GitHub
    description: RAD-Dev Infra
    # A URL with more information about the repository
    # homepage: "https://nix-community.org"
    # A comma-separated list of topics to set on the repository
    topics: "nixos"
    # Either `true` to make the repository private, or `false` to make it public.
    private: false
    # Either `true` to enable issues for this repository, `false` to disable them.
    has_issues: true
    # Either `true` to enable projects for this repository, or `false` to disable them.
    # If projects are disabled for the organization, passing `true` will cause an API error.
    has_projects: true
    # Either `true` to enable the wiki for this repository, `false` to disable it.
    has_wiki: false
    # Either `true` to enable downloads for this repository, `false` to disable them.
    has_downloads: false
    # Updates the default branch for this repository.
    default_branch: main
    # Either `true` to allow squash-merging pull requests, or `false` to prevent
    # squash-merging.
    allow_squash_merge: true
    # Either `true` to allow merging pull requests with a merge commit, or `false`
    # to prevent merging pull requests with merge commits.
    allow_merge_commit: false
    # Either `true` to allow rebase-merging pull requests, or `false` to prevent
    # rebase-merging.
    allow_rebase_merge: true
    # Either `true` to enable automatic deletion of branches on merge, or `false` to disable
    delete_branch_on_merge: true
    # Either `true` to enable automated security fixes, or `false` to disable
    # automated security fixes.
    enable_automated_security_fixes: true
    # Either `true` to enable vulnerability alerts, or `false` to disable
    # vulnerability alerts.
    enable_vulnerability_alerts: true
    allow_auto_merge: true
 # Labels: define labels for Issues and Pull Requests
 #
 labels:
@ -104,29 +88,16 @@ labels:
    - name: automated
      color: '#42b528'
      description: PR was automatically generated (through a bot or CI/CD)
 # Milestones: define milestones for Issues and Pull Requests
 milestones:
    - title: Go-Live
      description: >-
-      All requirements for official go-live:
+        All requirements for official go-live: - Automated testing via Hydra/Actions - Automated deployments via Hydra/Actions - 90+% testing coverage - Functional formatter with custom rules - palatine-hill is fully stable, enough so that jeeves can be migrated
      - Automated testing via Hydra/Actions
      - Automated deployments via Hydra/Actions
      - 90+% testing coverage
      - Functional formatter with custom rules
      - palatine-hill is fully stable, enough so that jeeves can be migrated
      # The state of the milestone. Either `open` or `closed`
      state: open
    - title: Jeeves Migration
      description: >-
-      Test common use-cases for Jeeves
+        Test common use-cases for Jeeves - Quadro GPU support - Multi-GPU support - Plex support - Docker support - ZFS support
      - Quadro GPU support
      - Multi-GPU support
      - Plex support
      - Docker support
      - ZFS support
 # Collaborators: give specific users access to this repository.
 # See https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator for available options
 collaborators:
@ -150,7 +121,6 @@ teams:
 # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
 # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
 # permission: admin
 branches:
    # gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection
@ -165,7 +135,6 @@ branches:
    # `Maximum pull requests to merge`: 5
    # `Only merge non-failing pull requests`: true
    # `Consider check failed after`: 60 minutes
    - name: main
      # https://docs.github.com/en/rest/reference/repos#update-branch-protection
      # Branch Protection settings. Set to null to disable
--- a/.github/workflows/flake-health-checks.yml
+++ b/.github/workflows/flake-health-checks.yml
@ -5,7 +5,6 @@ on:
    pull_request:
        branches: ["main"]
    merge_group:
 jobs:
    health-check:
        name: "Perform Nix flake checks"
--- a/.github/workflows/flake-update.yml
+++ b/.github/workflows/flake-update.yml
@ -65,7 +65,6 @@ jobs:
                    [1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml
                    [2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
            - name: Generate PR body
              uses: pedrolamas/handlebars-action@v2.4.0 # v2.4.0
              with:
@ -76,7 +75,6 @@ jobs:
              uses: juliangruber/read-file-action@v1
              with:
                path: "pr_body.md"
            - name: Remove temporary files
              run: |
                rm pr_body.template
@ -84,7 +82,6 @@ jobs:
                rm pre.json
                rm post.json
                rm post-diff
            - name: Create Pull Request
              id: create-pull-request
              # uses: https://forgejo.stefka.eu/jiriks74/create-pull-request@7174d368c2e4450dea17b297819eb28ae93ee645
@ -98,7 +95,6 @@ jobs:
                    automated: Update `flake.lock`
                    ${{ steps.pr_body.outputs.content }}
                branch: update-flake-lock
                delete-branch: true
                pr-labels: | # Labels to be set on the PR
--- a/.github/workflows/lock-health-checks.yml
+++ b/.github/workflows/lock-health-checks.yml
@ -5,7 +5,6 @@ on:
    pull_request:
        branches: ["main"]
    merge_group:
 jobs:
    health-check:
        name: "Check health of `flake.lock`"
--- a/.github/workflows/nix-fmt.yml
+++ b/.github/workflows/nix-fmt.yml
@ -5,7 +5,6 @@ on:
    pull_request:
        branches: ["main"]
    merge_group:
 jobs:
    health-check:
        name: "Perform Nix format checks"
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,7 +1,6 @@
 keys:
    # The PGP keys in keys/
    - &admin_alice 5EFFB75F7C9B74EAA5C4637547940175096C1330
    # Generate AGE keys from SSH keys with:
    #   ssh-keygen -A
    #   nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
@ -11,10 +10,8 @@ keys:
    #- &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
    - &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
    # cspell:enable
 servers: &servers
    - *palatine-hill
 # add new users by executing: sops users/<user>/secrets.yaml
 # then have someone already in the repo run the below
 #
@ -29,14 +26,12 @@ creation_rules:
            - *palatine-hill
            - *artemision
            - *artemision-home
    - path_regex: systems/palatine-hill/secrets.*\.yaml$
      key_groups:
        - pgp:
            - *admin_alice
          age:
            - *palatine-hill
    - path_regex: systems/artemision/secrets.*\.yaml$
      key_groups:
        - pgp:
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -1,5 +1,7 @@
 {
-  "cSpell.enableFiletypes": ["nix"],
+  "cSpell.enableFiletypes": [
    "nix"
  ],
  "cSpell.words": [
    "aarch",
    "abmlevel",
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@ -40,12 +40,12 @@ and will eventually trip a check when merging to main.
 | Branch Name      | Use Case                                                                                                                                                                                                                      |
 |------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | main             | protected branch which all machines pull from, do not try to push directly                                                                                                                                                    |
-| feature/\<item\> | \<item\> is a new feature added to the repo, for personal or common use                                                                                                                                                       |
+| feature/\<item> | \<item> is a new feature added to the repo, for personal or common use                                                                                                                                                       |
-| fixup/\<item\>   | \<item\> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical                                                                                         |
+| fixup/\<item>   | \<item> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical                                                                                         |
-| hotfix/\<item\>  | \<item\> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
+| hotfix/\<item>  | \<item> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
-| urgent/\<item\>  | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues                                                                                                           |
+| urgent/\<item>  | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues                                                                                                           |
-| exp/\<item\>     | \<item\> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches                                                                                                  |
+| exp/\<item>     | \<item> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches                                                                                                  |
-| merge/\<item\>   | \<item\> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch                                          |
+| merge/\<item>   | \<item> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch                                          |
 ### Review Process
--- a/docs/sample-setup.sh
+++ b/docs/sample-setup.sh
@ -54,8 +54,6 @@ if [ $PROCEED != "Y" ]; then
  lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
 fi
 if [ $CREATEPARTS = "Y" ]; then
  # Create partition table
  sudo parted "/dev/$DRIVE" -- mklabel gpt
--- a/flake.lock
+++ b/flake.lock
@ -441,17 +441,18 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1741842650,
+        "lastModified": 1740981371,
-        "narHash": "sha256-gyA3ngXZroBeWdrVsM+bL63hQMUheYCrC+V78TEgBeU=",
+        "narHash": "sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "b1f2198021490b51fb92b8b09db97b9ba2a7b4ce",
+        "rev": "1d2fe0135f360c970aee1d57a53f816f3c9bddae",
        "type": "github"
      },
      "original": {
        "narHash": "sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc=",
        "owner": "nixos",
        "ref": "nixos-unstable-small",
        "repo": "nixpkgs",
        "rev": "1d2fe0135f360c970aee1d57a53f816f3c9bddae",
        "type": "github"
      }
    },
@ -472,16 +473,16 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1735563628,
+        "lastModified": 1741862977,
-        "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=",
+        "narHash": "sha256-prZ0M8vE/ghRGGZcflvxCu40ObKaB+ikn74/xQoNrGQ=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798",
+        "rev": "cdd2ef009676ac92b715ff26630164bb88fec4e0",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-24.05",
+        "ref": "nixos-24.11",
        "repo": "nixpkgs",
        "type": "github"
      }
--- a/flake.nix
+++ b/flake.nix
@ -25,8 +25,9 @@
    flake-parts.url = "github:hercules-ci/flake-parts";
    nixos-hardware.url = "github:NixOS/nixos-hardware";
    #nixpkgs.url = "github:nuschtos/nuschtpkgs/nixos-unstable";
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small";
+    # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small";
-    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:nixos/nixpkgs/1d2fe0135f360c970aee1d57a53f816f3c9bddae?narHash=sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc%3D";
    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
    systems.url = "github:nix-systems/default";
    # attic = {
--- a/shell.nix
+++ b/shell.nix
@ -45,6 +45,10 @@ forEachSystem (
        treefmt
        statix
        nixfmt-rfc-style
        jsonfmt
        mdformat
        shfmt
        yamlfmt
      ];
    };
  in
--- a/systems/artemision/configuration.nix
+++ b/systems/artemision/configuration.nix
@ -32,7 +32,7 @@
  };
  boot = {
-    kernelPackages = lib.mkForce pkgs.linuxPackages_6_6;
+    #kernelPackages = lib.mkForce pkgs.linuxPackages_6_6;
    useSystemdBoot = true;
    default = true;
  };
@ -88,6 +88,10 @@
  programs.adb.enable = true;
  environment.variables = {
    "KWIN_DRM_NO_DIRECT_SCANOUT" = "1";
  };
  sops = {
    defaultSopsFile = ./secrets.yaml;
    #secrets = {
--- a/systems/artemision/programs.nix
+++ b/systems/artemision/programs.nix
@ -42,6 +42,7 @@
    kitty
    kubectl
    kubernetes-helm
    libreoffice-fresh
    libtool
    lsof
    lynis
--- a/treefmt.toml
+++ b/treefmt.toml
@ -12,3 +12,21 @@ command = "nixfmt"
 #options = []
 # Glob pattern of files to include
 includes = [ "*.nix" ]
 [formatter.jsonfmt]
 command = "jsonfmt"
 excludes = []
 includes = ["*.json"]
 options = ["-w"]
 [formatter.shfmt]
 command = "shfmt"
 excludes = []
 includes = ["*.sh", "*.bash", "*.envrc", "*.envrc.*"]
 options = ["-i", "2", "-s", "-w"]
 [formatter.yamlfmt]
 command = "yamlfmt"
 excludes = []
 includes = ["*.yaml", "*.yml"]
 options = ["-formatter","indent=4"]
--- a/users/alice/home.nix
+++ b/users/alice/home.nix
@ -16,6 +16,7 @@
      ./home/gammastep.nix
      ./home/doom
      ./home/hypr
      ./home/waybar.nix
      ./non-server.nix
    ];
--- a/users/alice/home/hypr/default.nix
+++ b/users/alice/home/hypr/default.nix
@ -8,6 +8,7 @@
 {
  xdg.configFile = {
    "hypr/hyprland.conf".source = ./hyprland.conf;
    "hypr/show-hide.sh".source = ./show-hide.sh;
  };
  imports = [
--- a/users/alice/home/hypr/hypridle.nix
+++ b/users/alice/home/hypr/hypridle.nix
@ -18,14 +18,14 @@
      listener = [
        {
          timeout = 150; # 2.5min.
-          on-timeout = "brightnessctl -s set 1"; # set monitor backlight to minimum, avoid 0 on OLED monitor.
+          on-timeout = "${pkgs.brightnessctl}/bin/brightnessctl -s set 1"; # set monitor backlight to minimum, avoid 0 on OLED monitor.
-          on-resume = "brightnessctl -r"; # monitor backlight restore.
+          on-resume = "${pkgs.brightnessctl}/bin/brightnessctl -r"; # monitor backlight restore.
        }
        # turn off keyboard backlight, comment out this section if you dont have a keyboard backlight.
        {
          timeout = 150; # 2.5min.
-          on-timeout = "brightnessctl -sd rgb:kbd_backlight set 0"; # turn off keyboard backlight.
+          on-timeout = "${pkgs.brightnessctl}/bin/brightnessctl -sd rgb:kbd_backlight set 0"; # turn off keyboard backlight.
-          on-resume = "brightnessctl -rd rgb:kbd_backlight"; # turn on keyboard backlight.
+          on-resume = "${pkgs.brightnessctl}/bin/brightnessctl -rd rgb:kbd_backlight"; # turn on keyboard backlight.
        }
        {
          timeout = 300; # 5min
--- a/users/alice/home/hypr/hyprland.conf
+++ b/users/alice/home/hypr/hyprland.conf
@ -22,6 +22,9 @@ monitor=,preferred,auto,auto
 # exec-once = waybar & hyprpaper & firefox
 exec-once = wired &
 exec-once = wired
 exec-once = systemctl --user start polkit-gnome-authentication-agent-1.service
 # Source a file (multi-file configs)
 # source = ~/.config/hypr/myColors.conf
@ -207,3 +210,7 @@ bind = $mainMod, P, exec, bwm
 # lock screen
 bind = $mainMod, L, exec, loginctl lock-session
 # hide active window
 bind = $mainMod,H,exec,/home/alice/config/hypr/hide_unhide_window.sh h
 # show hide window
 bind = $mainMod,I,exec,/home/alice/config/hypr/hide_unhide_window.sh s
--- a/users/alice/home/hypr/hyprlock.nix
+++ b/users/alice/home/hypr/hyprlock.nix
@ -11,7 +11,8 @@
    settings = {
      general = {
        immediate_render = true;
-        no_fade_in = true;
+        # disabling as config doesn't exist
        #no_fade_in = true;
      };
      background = {
        monitor = "";
@ -54,7 +55,8 @@
        dots_spacing = 0.15; # Scale of dots' absolute size, -1.0 - 1.0
        dots_center = false;
        dots_rounding = -1; # -1 default circle, -2 follow input-field rounding
-        dots_fade_time = 200; # Milliseconds until a dot fully fades in
+        # disabling as config doesn't exist
        # dots_fade_time = 200; # Milliseconds until a dot fully fades in
        dots_text_format = ""; # Text character used for the input indicator. Leave empty for a rectangle that will be rounded via dots_rounding (default).
        # disabling due to stylix
        # outer_color = "rgb(151515)";
@ -70,7 +72,8 @@
        #fail_color = "rgb(204, 34, 34)"; # if authentication failed, changes outer_color and fail message color
        fail_text = "<i>$FAIL <b>($ATTEMPTS)</b></i>"; # can be set to empty
        fail_timeout = 2000; # milliseconds before fail_text and fail_color disappears
-        fail_transition = 300; # transition time in ms between normal outer_color and fail_color
+        # disabling as config doesn't exist
        #fail_transition = 300; # transition time in ms between normal outer_color and fail_color
        capslock_color = -1;
        numlock_color = -1;
        bothlock_color = -1; # when both locks are active. -1 means don't change outer color (same for above)
--- a/users/alice/home/hypr/show-hide.sh
+++ b/users/alice/home/hypr/show-hide.sh
@ -0,0 +1,25 @@
 #!/usr/bin/env bash
 stack_file="/tmp/hide_window_pid_stack.txt"
 function hide_window() {
  pid=$(hyprctl activewindow -j | jq '.pid')
  hyprctl dispatch movetoworkspacesilent "88,pid:$pid"
  echo "$pid" >>$stack_file
 }
 function show_window() {
  pid=$(tail -1 $stack_file && sed -i '$d' $stack_file)
  [ -z "$pid" ] && exit
  current_workspace=$(hyprctl activeworkspace -j | jq '.id')
  hyprctl dispatch movetoworkspacesilent "$current_workspace,pid:$pid"
 }
 if [ -n "$1" ]; then
  if [ "$1" == "h" ]; then
    hide_window >>/dev/null
  else
    show_window >>/dev/null
  fi
 fi
--- a/users/alice/home/waybar.json
+++ b/users/alice/home/waybar.json
@ -0,0 +1,40 @@
 [
  {
    "height": 20,
    "layer": "top",
    "position": "top",
    "output": [
      "eDP-2",
      "eDP-1",
      "HDMI-0",
      "DP-0"
    ],
    "hyprland/workspaces": {
      "active-only": true,
      "all-outputs": false,
      "show-special": true,
      "move-to-monitor": true,
      "format": "{icon} {windows}",
      "format-window-separator": " ",
      "format-icons": {
        "1": "󰎤",
        "2": "󰎧",
        "3": "󰎪",
        "default": "",
        "empty": "󱓼",
        "urgent": "󱨇"
      },
      "persistent-workspaces": {
        "1": "HDMI-0"
      },
      "on-scroll-down": "hyprctl dispatch workspace e-1",
      "on-scroll-up": "hyprctl dispatch workspace e+1",
      "window-rewrite": {
        "title<Steam>": ""
      },
      "window-rewrite-default": "",
      "window-rewrite-separator": " ",
      "sort-by": "number"
    }
  }
 ]
--- a/users/alice/home/waybar.nix
+++ b/users/alice/home/waybar.nix
@ -2,6 +2,6 @@
 lib.mkIf (!machineConfig.server) {
  programs.waybar = {
    enable = true;
-    #settings = builtins.fromJSON (import ./waybar.json);
+    settings = builtins.fromJSON (builtins.readFile ./waybar.json);
  };
 }
--- a/users/alice/non-server.nix
+++ b/users/alice/non-server.nix
@ -64,5 +64,6 @@
    zathura
    obsidian
    libreoffice-qt-fresh
    wlr-randr
  ];
 }
--- a/utils/attic-push.bash
+++ b/utils/attic-push.bash
@ -11,17 +11,15 @@ set -e
 #   | jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
 # retrieve all paths
-nix_paths=$(nix path-info --json --all --closure-size \
+nix_paths=$(nix path-info --json --all --closure-size |
-  | jq 'map_values(.closureSize | select(true)) | to_entries | sort_by(.value)' \
+  jq 'map_values(.closureSize | select(true)) | to_entries | sort_by(.value)' |
-  | jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
+  jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
 readarray -t nix_path_array < <(echo "$nix_paths")
 batchsize=1000
-for((i=0; i < ${#nix_path_array[@]}; i+=batchsize))
+for ((i = 0; i < ${#nix_path_array[@]}; i += batchsize)); do
 do
  part=("${nix_path_array[@]:i:batchsize}")
  attic push nix-cache "${part[@]}"
--- a/utils/sops-mergetool-new.sh
+++ b/utils/sops-mergetool-new.sh
@ -2,7 +2,10 @@
 # Rename CLI parameters to friendlier names
 # https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
-base="$1"; local_="$2"; remote="$3"; merged="$4"
+base="$1"
 local_="$2"
 remote="$3"
 merged="$4"
 # Load the mergetool scripts
 TOOL_MODE=merge
@ -62,4 +65,3 @@ run_merge_tool "${mergetool}" true
 # Re-encrypt content
 sops --encrypt "$merged_decrypted" >"$merged"
--- a/utils/sops-mergetool.sh
+++ b/utils/sops-mergetool.sh
@ -6,7 +6,10 @@ set -x
 # Rename our variables to friendlier equivalents
 # https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
-base="$1"; local_="$2"; remote="$3"; merged="$4"
+base="$1"
 local_="$2"
 remote="$3"
 merged="$4"
 echo "$base"
 echo "$local_"
@ -18,7 +21,7 @@ echo "$merged"
 mergetool="$(git config --get merge.tool)"
 GIT_DIR="$(git --exec-path)"
 if test "$mergetool" = ""; then
-  echo "No default \`merge.tool\` was set for \`git\`. Please set one via \`git config --set merge.tool <tool>\`" 1>&2
+  echo 'No default `merge.tool` was set for `git`. Please set one via `git config --set merge.tool <tool>`' 1>&2
  exit 1
 fi
@ -83,4 +86,3 @@ set -eu
 # Re-encrypt content
 sops --encrypt "$merged_decrypted" >"$merged"