This can happen if for example a secret is used in the initrd, which
materializes it as a directory, which then causes agenix to silently
create an incorrect link when switching to stage2. This ensures that
agenix will abort with an error.
Why
===
* We'd like some tests for the CLI
* Last time we tried it failed on macos
What changed
===
* This time, we try to create the temp diretory in a way that works
with macos too
nix-darwin is detecting `/etc/nix/nix.conf` from the
cachix/install-nix-action and refusing to overwrite it, failing the
nix-darwin activation and therefore the rest of CI.
This commit `mv`s the existing `nix.conf` to avoid the above, and then
adds support for new-style nix commands and flakes to the nix-darwin
configuration to allow their subsequent use in CI.
It also removes the nix config from the `cachix/install-nix-action`
step, which was duplicated effort since we are blowing it away with
nix-darwin anyway.
Relevant:
- https://github.com/LnL7/nix-darwin/issues/149
Why
===
* Someone said age works better with password protected keys,
requiring entering the password less often.
* We switched to rage from age in
07ce686870
because it was limiting recipients to 20. This was fixed
https://github.com/FiloSottile/age/issues/139
What changed
===
* Switch from rage back to age (the reference implementation) in all
the spots
* Update the docs to show how to switch back to Rage
* Skip keys that are empty files, which fixes the integration test.
Why
===
* flake.nix had a lot of almost redundant lines in it.
* i686 support is probably being dropped soon in nixpkgs
https://github.com/NixOS/nixpkgs/pull/266164
What changed
==
* Add new input nix-systems/default which represents the default
systems typically used in the Nix community
* Define and use an eachSystem function that simplifies the flake.nix file
The functions was always called with `$FILE` as first argument, but inside the argument is ignored. This change doesn' have any impact, but can solve problems caused by the keys function called with an argument different from `$FILE`
When you do not have your pubkeys in your `secrets.nix` verbatim as
string but read them from file like this: `desktop1 = builtins.readFile
./desktop1.pub;`, you will end up with empty newlines in the resulting
list of keys, which will add `--recipient=''` arguments to your age
call, failing the call.
