From 5c1198a352b5fac579be4aff9cd9cbfe2920c282 Mon Sep 17 00:00:00 2001
From: Ryan Mulligan <ryan@ryantm.com>
Date: Wed, 20 Dec 2023 13:13:47 -0800
Subject: [PATCH] feat: switch from rage to age

Why
===
* Someone said age works better with password protected keys,
requiring entering the password less often.
* We switched to rage from age in
https://github.com/ryantm/agenix/commit/07ce686870f52a7397164b755d721bc85f110aac
because it was limiting recipients to 20. This was fixed
https://github.com/FiloSottile/age/issues/139

What changed
===
* Switch from rage back to age (the reference implementation) in all
the spots
* Update the docs to show how to switch back to Rage
* Skip keys that are empty files, which fixes the integration test.
---
 README.md            | 10 +++++-----
 doc/notices.md       |  2 +-
 doc/reference.md     |  2 +-
 modules/age-home.nix |  2 +-
 modules/age.nix      |  5 +++--
 pkgs/agenix.nix      |  4 ++--
 6 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/README.md b/README.md
index 998bfc2..b66df95 100644
--- a/README.md
+++ b/README.md
@@ -45,7 +45,7 @@ All files in the Nix store are readable by any system user, so it is not a suita
 
 ## Notices
 
-* Password-protected ssh keys: since the underlying tool age/rage do not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
+* Password-protected ssh keys: since age does not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
 
 ## Installation
 
@@ -487,7 +487,7 @@ Example of a secret with a name different from its attrpath:
 #### `age.ageBin`
 
 `age.ageBin` the string of the path to the `age` binary. Usually, you
-don't need to change this. Defaults to `rage/bin/rage`.
+don't need to change this. Defaults to `age/bin/age`.
 
 Overriding `age.ageBin` example:
 
@@ -587,13 +587,13 @@ improved upon by reading the identities from the age file.)
 
 #### Overriding age binary
 
-The agenix CLI uses `rage` by default as its age implemenation, you
-can use the reference implementation `age` with Flakes like this:
+The agenix CLI uses `age` by default as its age implemenation, you
+can use the `rage` implementation with Flakes like this:
 
 ```nix
 {pkgs,agenix,...}:{
   environment.systemPackages = [
-    (agenix.packages.x86_64-linux.default.override { ageBin = "${pkgs.age}/bin/age"; })
+    (agenix.packages.x86_64-linux.default.override { ageBin = "${pkgs.rage}/bin/rage"; })
   ];
 }
 ```
diff --git a/doc/notices.md b/doc/notices.md
index 5dcc5a9..a186507 100644
--- a/doc/notices.md
+++ b/doc/notices.md
@@ -1,3 +1,3 @@
 # Notices {#notices}
 
-* Password-protected ssh keys: since the underlying tool age/rage do not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
+* Password-protected ssh keys: since age does not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
diff --git a/doc/reference.md b/doc/reference.md
index 614b0c9..2419559 100644
--- a/doc/reference.md
+++ b/doc/reference.md
@@ -166,7 +166,7 @@ Example of a secret with a name different from its attrpath:
 ### `age.ageBin`
 
 `age.ageBin` the string of the path to the `age` binary. Usually, you
-don't need to change this. Defaults to `rage/bin/rage`.
+don't need to change this. Defaults to `age/bin/age`.
 
 Overriding `age.ageBin` example:
 
diff --git a/modules/age-home.nix b/modules/age-home.nix
index 99ccccb..9577eb8 100644
--- a/modules/age-home.nix
+++ b/modules/age-home.nix
@@ -155,7 +155,7 @@ with lib; let
     '';
 in {
   options.age = {
-    package = mkPackageOption pkgs "rage" {};
+    package = mkPackageOption pkgs "age" {};
 
     secrets = mkOption {
       type = types.attrsOf secretType;
diff --git a/modules/age.nix b/modules/age.nix
index 9468779..86c4447 100644
--- a/modules/age.nix
+++ b/modules/age.nix
@@ -69,6 +69,7 @@ with lib; let
     IDENTITIES=()
     for identity in ${toString cfg.identityPaths}; do
       test -r "$identity" || continue
+      test -s "$identity" || continue
       IDENTITIES+=(-i)
       IDENTITIES+=("$identity")
     done
@@ -189,9 +190,9 @@ in {
   options.age = {
     ageBin = mkOption {
       type = types.str;
-      default = "${pkgs.rage}/bin/rage";
+      default = "${pkgs.age}/bin/age";
       defaultText = literalExpression ''
-        "''${pkgs.rage}/bin/rage"
+        "''${pkgs.age}/bin/age"
       '';
       description = ''
         The age executable to use.
diff --git a/pkgs/agenix.nix b/pkgs/agenix.nix
index 0d35bf4..7ce6de2 100644
--- a/pkgs/agenix.nix
+++ b/pkgs/agenix.nix
@@ -1,13 +1,13 @@
 {
   lib,
   stdenv,
-  rage,
+  age,
   jq,
   nix,
   mktemp,
   diffutils,
   substituteAll,
-  ageBin ? "${rage}/bin/rage",
+  ageBin ? "${age}/bin/age",
   shellcheck,
 }:
 stdenv.mkDerivation rec {