Merge remote-tracking branch 'origin/master'

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.preseed/SECRETS.yaml

@@ -34,12 +34,12 @@ secrets:
   ################################################################################################################################
   luks:
     backup:
-      note: "The value is '<share-identifier>:<password>' (colon-separated). Use the same dedicated destination and credentials across servers."
+      note: "The value is [<share-identifier>:<password>] (colon-separated). Use the same dedicated destination and credentials across servers."
       scope: "offsite-backup"
       type: "plain"
       value: "NextcloudFolderNameOrShareID:SuperSecurePassword123!"
     boot:
-      note: "Dedicated passphrase for the '/boot' partition; chosen for easy manual input via the VPS web console."
+      note: "Dedicated passphrase for the [/boot] partition; chosen for easy manual input via the VPS web console."
       scope: "luks"
       type: "plain"
       value: "Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!"
@@ -59,7 +59,7 @@ secrets:
   seeds:
     mfa:
       info:
-        note: "MFA version identifier (e.g., 'totp:v1') for seamless mfa secrets rollover."
+        note: "MFA version identifier, e.g., [totp:v1] for seamless mfa secrets rollover."
         scope: "mfa"
         type: "plain"
         value: "totp:v1"

func/cdi_1250_yaml/1256_yaml_xfiles.sh

@@ -190,7 +190,7 @@ yaml_secret() {
 
   yq -o=shell "${secrets_if}" >| "${__SECRETS}" && ciss_secrets_wiper "${secrets_if}"
 
-  sed -n -E '
+  sed -i -E '
     /^[[:space:]]*(#|$)/b                          # Skip empty/comment lines.
     s/^[[:space:]]*export[[:space:]]+//            # Drop optional leading "export ".
     /^[[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value=/!b # Keep only *_value= assignments.