diff --git a/flake.lock b/flake.lock
index 8263057..acbfc4a 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,20 @@
 {
   "nodes": {
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1600209923,
+        "narHash": "sha256-zoOWauTliFEjI++esk6Jzk7QO5EKpddWXQm9yQK24iM=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "3cd06d3c1df6879c9e41cb2c33113df10566c760",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1599148892,
@@ -16,6 +31,7 @@
     },
     "root": {
       "inputs": {
+        "flake-utils": "flake-utils",
         "nixpkgs": "nixpkgs"
       }
     }
diff --git a/flake.nix b/flake.nix
index b076214..ca00c66 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,18 +1,13 @@
 {
   description = "Secret management with age";
-  outputs = { self, nixpkgs }: let
-    systems = [
-      "x86_64-linux"
-      "i686-linux"
-      "x86_64-darwin"
-      "aarch64-linux"
-      "armv6l-linux"
-      "armv7l-linux"
-    ];
-    forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system);
-  in {
-    nixosModules.age = import ./modules/age.nix;
-    packages = forAllSystems (system: nixpkgs.legacyPackages.${system}.callPackage ./default.nix {});
-    defaultPackage = forAllSystems (system: self.packages.${system}.agenix);
-  };
+
+  inputs.flake-utils.url = "github:numtide/flake-utils";
+
+  outputs = { self, nixpkgs, flake-utils }:
+    flake-utils.lib.eachDefaultSystem (system:
+      {
+        nixosModules.age = import ./modules/age.nix;
+        packages = nixpkgs.legacyPackages.${system}.callPackage ./default.nix {};
+        defaultPackage = self.packages.${system}.agenix;
+      });
 }
diff --git a/modules/age.nix b/modules/age.nix
index e267e23..d645ae8 100644
--- a/modules/age.nix
+++ b/modules/age.nix
@@ -4,6 +4,9 @@ with lib;
 
 let
   cfg = config.age;
+  rage = pkgs.callPackage ../pkgs/rage.nix {};
+  ageBin = "${rage}/bin/rage";
+
   users = config.users.users;
 
   identities = builtins.concatStringsSep " " (map (path: "-i ${path}") cfg.sshKeyPaths);
@@ -11,7 +14,7 @@ let
     echo "decrypting ${secretType.file} to ${secretType.path}..."
     TMP_FILE="${secretType.path}.tmp"
     mkdir -p $(dirname ${secretType.path})
-    (umask 0400; ${pkgs.age}/bin/age --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}")
+    (umask 0400; ${ageBin} --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}")
     chmod ${secretType.mode} "$TMP_FILE"
     chown ${secretType.owner}:${secretType.group} "$TMP_FILE"
     mv -f "$TMP_FILE" '${secretType.path}'
diff --git a/pkgs/agenix.nix b/pkgs/agenix.nix
index 07520f9..cae142a 100644
--- a/pkgs/agenix.nix
+++ b/pkgs/agenix.nix
@@ -1,4 +1,8 @@
-{writeShellScriptBin, runtimeShell, age} :
+{writeShellScriptBin, runtimeShell, pkgs} :
+let
+  rage = pkgs.callPackage ./rage.nix {};
+  ageBin = "${rage}/bin/rage";
+in
 writeShellScriptBin "agenix" ''
 set -Eeuo pipefail
 
@@ -24,6 +28,9 @@ function show_help () {
   echo ' '
   echo 'RULES environment variable with path to Nix file specifying recipient public keys.'
   echo "Defaults to './secrets.nix'"
+  echo ' '
+  echo "age binary path: ${ageBin}"
+  echo "age version: $(${ageBin} --version)"
 }
 
 test $# -eq 0 && (show_help && exit 1)
@@ -103,7 +110,7 @@ function edit {
             DECRYPT+=(--identity "$key")
         done <<<"$((find ~/.ssh -maxdepth 1 -type f -not -name "*pub" -not -name "config" -not -name "authorized_keys" -not -name "known_hosts") || exit 1)"
         DECRYPT+=(-o "$CLEARTEXT_FILE" "$FILE")
-        ${age}/bin/age "''${DECRYPT[@]}" || exit 1
+        ${ageBin} "''${DECRYPT[@]}" || exit 1
         cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
     fi
 
@@ -127,7 +134,7 @@ function edit {
 
     ENCRYPT+=(-o "$REENCRYPTED_FILE")
 
-    ${age}/bin/age "''${ENCRYPT[@]}" <"$CLEARTEXT_FILE" || exit 1
+    ${ageBin} "''${ENCRYPT[@]}" <"$CLEARTEXT_FILE" || exit 1
 
     mv -f "$REENCRYPTED_FILE" "$1"
 }
diff --git a/pkgs/rage.nix b/pkgs/rage.nix
new file mode 100644
index 0000000..9cf5a5f
--- /dev/null
+++ b/pkgs/rage.nix
@@ -0,0 +1,37 @@
+{stdenv, rustPlatform, fetchFromGitHub, installShellFiles, darwin }:
+
+rustPlatform.buildRustPackage rec {
+  pname = "rage";
+  version = "unstable-2020-09-05";
+
+  src = fetchFromGitHub {
+    owner = "str4d";
+    repo = pname;
+    rev = "8368992e60cbedb2d6b725c3e25440e65d8544d1";
+    sha256 = "sha256-ICcApZQrR4hGxo/RcFMktenE4dswAXA2/nJ5D++O2ig=";
+  };
+
+  cargoSha256 = "sha256-QwNtp7Hxsiads3bh8NRra25RdPbIdjp+pSWTllAvdmQ=";
+
+  nativeBuildInputs = [ installShellFiles ];
+
+  buildInputs = stdenv.lib.optionals stdenv.isDarwin [ darwin.Security ];
+
+  postBuild = ''
+    cargo run --example generate-docs
+    cargo run --example generate-completions
+  '';
+
+  postInstall = ''
+    installManPage target/manpages/*
+    installShellCompletion target/completions/*.{bash,fish,zsh}
+  '';
+
+  meta = with stdenv.lib; {
+    description = "A simple, secure and modern encryption tool with small explicit keys, no config options, and UNIX-style composability";
+    homepage = "https://github.com/str4d/rage";
+    changelog = "https://github.com/str4d/rage/releases/tag/v${version}";
+    license = licenses.asl20;
+    maintainers = [ maintainers.marsam ];
+  };
+}