feat: switch from rage to age

Why
===
* Someone said age works better with password protected keys,
requiring entering the password less often.
* We switched to rage from age in
07ce686870
because it was limiting recipients to 20. This was fixed
https://github.com/FiloSottile/age/issues/139

What changed
===
* Switch from rage back to age (the reference implementation) in all
the spots
* Update the docs to show how to switch back to Rage
* Skip keys that are empty files, which fixes the integration test.

README.md

@@ -45,7 +45,7 @@ All files in the Nix store are readable by any system user, so it is not a suita
 
 ## Notices
 
-* Password-protected ssh keys: since the underlying tool age/rage do not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
+* Password-protected ssh keys: since age does not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
 
 ## Installation
 
@@ -487,7 +487,7 @@ Example of a secret with a name different from its attrpath:
 #### `age.ageBin`
 
 `age.ageBin` the string of the path to the `age` binary. Usually, you
-don't need to change this. Defaults to `rage/bin/rage`.
+don't need to change this. Defaults to `age/bin/age`.
 
 Overriding `age.ageBin` example:
 
@@ -587,13 +587,13 @@ improved upon by reading the identities from the age file.)
 
 #### Overriding age binary
 
-The agenix CLI uses `rage` by default as its age implemenation, you
+The agenix CLI uses `age` by default as its age implemenation, you
-can use the reference implementation `age` with Flakes like this:
+can use the `rage` implementation with Flakes like this:
 
 ```nix
 {pkgs,agenix,...}:{
   environment.systemPackages = [
-    (agenix.packages.x86_64-linux.default.override { ageBin = "${pkgs.age}/bin/age"; })
+    (agenix.packages.x86_64-linux.default.override { ageBin = "${pkgs.rage}/bin/rage"; })
   ];
 }
 ```

doc/notices.md

@@ -1,3 +1,3 @@
 # Notices {#notices}
 
-* Password-protected ssh keys: since the underlying tool age/rage do not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
+* Password-protected ssh keys: since age does not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.

doc/reference.md

@@ -166,7 +166,7 @@ Example of a secret with a name different from its attrpath:
 ### `age.ageBin`
 
 `age.ageBin` the string of the path to the `age` binary. Usually, you
-don't need to change this. Defaults to `rage/bin/rage`.
+don't need to change this. Defaults to `age/bin/age`.
 
 Overriding `age.ageBin` example:
 

modules/age-home.nix

@@ -155,7 +155,7 @@ with lib; let
     '';
 in {
   options.age = {
-    package = mkPackageOption pkgs "rage" {};
+    package = mkPackageOption pkgs "age" {};
 
     secrets = mkOption {
       type = types.attrsOf secretType;

modules/age.nix

@@ -69,6 +69,7 @@ with lib; let
     IDENTITIES=()
     for identity in ${toString cfg.identityPaths}; do
       test -r "$identity" || continue
+      test -s "$identity" || continue
       IDENTITIES+=(-i)
       IDENTITIES+=("$identity")
     done
@@ -189,9 +190,9 @@ in {
   options.age = {
     ageBin = mkOption {
       type = types.str;
-      default = "${pkgs.rage}/bin/rage";
+      default = "${pkgs.age}/bin/age";
       defaultText = literalExpression ''
-        "''${pkgs.rage}/bin/rage"
+        "''${pkgs.age}/bin/age"
       '';
       description = ''
         The age executable to use.

pkgs/agenix.nix

@@ -1,13 +1,13 @@
 {
   lib,
   stdenv,
-  rage,
+  age,
   jq,
   nix,
   mktemp,
   diffutils,
   substituteAll,
-  ageBin ? "${rage}/bin/rage",
+  ageBin ? "${age}/bin/age",
   shellcheck,
 }:
 stdenv.mkDerivation rec {