use Nix instead of YAML

README.md

@@ -114,29 +114,23 @@ nix run github:ryantm/agenix -- --help
 
 ## Tutorial
 
-1. Make a directory to store secrets and a YAML file for configuring encryption.
+1. Make a directory to store secrets and `secrets.nix` file for listing secrets and their public keys:
 
    ```console
    $ mkdir secrets
    $ cd secerts
-   $ touch secrets.yaml
+   $ touch secrets.nix
    ```
-2. Add public keys to `secrets.yaml` file (hint: use `ssh-keyscan` or GitHub (for example, https://github.com/ryantm.keys)):
+2. Add public keys to `secrets.nix` file (hint: use `ssh-keyscan` or GitHub (for example, https://github.com/ryantm.keys)):
-   ```yaml
+   ```nix
-   public_keys:
+   let
-     # users
+     user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
-     - &user1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH
+     system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
-     # systems
+   in
-     - &system1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE
+   {
-
+     "secret1.age".public_keys = [ user1 system1];
-   secrets:
+     "secret2.age".public_keys = [ user1 ];
-     - name: secret1.age
+   }
-       public_keys:
-         - *user1
-         - *system1
-     - name: secret2.age
-       public_keys:
-         - *user1
    ```
 3. Edit secret files (assuming your SSH private key is in ~/.ssh/):
    ```console
@@ -150,7 +144,7 @@ nix run github:ryantm/agenix -- --help
 
 ## Rekeying
 
-If you change the public keys in `secrets.yaml`, you should rekey your
+If you change the public keys in `secrets.nix`, you should rekey your
 secrets:
 
 ```console

example/secrets.nix

@@ -0,0 +1,8 @@
+let
+  user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
+  system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
+in
+{
+  "secret1.age".public_keys = [ user1 system1];
+  "secret2.age".public_keys = [ user1 ];
+}

example/secrets.yaml

@@ -1,14 +0,0 @@
-public_keys:
-  # users
-  - &user1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH
-  # systems
-  - &system1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE
-
-secrets:
-  - name: secret1.age
-    public_keys:
-      - *user1
-      - *system1
-  - name: secret2.age
-    public_keys:
-      - *user1

pkgs/agenix.nix

@@ -1,6 +1,7 @@
-{writeShellScriptBin, runtimeShell, age, yq-go} :
+{writeShellScriptBin, runtimeShell, age} :
 writeShellScriptBin "agenix" ''
 set -euo pipefail
+
 PACKAGE="agenix"
 
 function show_help () {
@@ -21,14 +22,14 @@ function show_help () {
   echo ' '
   echo 'EDITOR environment variable of editor to use when editing FILE'
   echo ' '
-  echo 'RULES environment variable with path to YAML file specifying recipient public keys.'
+  echo 'RULES environment variable with path to Nix file specifying recipient public keys.'
-  echo "Defaults to 'secrets.yaml'"
+  echo "Defaults to 'secrets.nix'"
 }
 
 test $# -eq 0 && (show_help && exit 1)
 
 REKEY=0
-DECRYPT=(--decrypt)
+DEFAULT_DECRYPT=(--decrypt)
 
 while test $# -gt 0; do
   case "$1" in
@@ -49,7 +50,7 @@ while test $# -gt 0; do
     -i|--identity)
       shift
       if test $# -gt 0; then
-        DECRYPT+=(--identity "$1")
+        DEFAULT_DECRYPT+=(--identity "$1")
       else
         echo "no PRIVATE_KEY specified"
         exit 1
@@ -67,7 +68,7 @@ while test $# -gt 0; do
   esac
 done
 
-RULES=''${RULES:-secrets.yaml}
+RULES=''${RULES:-secrets.nix}
 
 function cleanup {
     if [ ! -z ''${CLEARTEXT_DIR+x} ]
@@ -83,7 +84,7 @@ trap "cleanup" 0 2 3 15
 
 function edit {
     FILE=$1
-    KEYS=$(${yq-go}/bin/yq r "$RULES" "secrets.(name==$FILE).public_keys.**")
+    KEYS=$(nix eval -f "$RULES" --raw "\"$FILE\".public_keys" --apply "builtins.concatStringsSep \"\n\"")
     if [ -z "$KEYS" ]
     then
         >&2 echo "There is no rule for $FILE in $RULES."
@@ -95,6 +96,7 @@ function edit {
 
     if [ -f "$FILE" ]
     then
+        DECRYPT=("''${DEFAULT_DECRYPT[@]}")
         while IFS= read -r key
         do
             DECRYPT+=(--identity "$key")
@@ -123,7 +125,7 @@ function edit {
 
 function rekey {
     echo "rekeying..."
-    FILES=$(${yq-go}/bin/yq r "$RULES" "secrets.*.name")
+    FILES=$(nix eval -f "$RULES" --raw --apply "f: builtins.concatStringsSep \"\n\" (builtins.attrNames f)")
     for FILE in $FILES
     do
         EDITOR=: edit $FILE