Merge pull request #259 from hansemschnokeloch/patch-1

Fix typo

.github/release-drafter.yml

@@ -0,0 +1,35 @@
+
+name-template: '$RESOLVED_VERSION'
+tag-template: '$RESOLVED_VERSION'
+categories:
+  - title: '🚀 Features'
+    labels:
+      - 'feature'
+      - 'enhancement'
+  - title: '🐛 Bug Fixes'
+    labels:
+      - 'fix'
+      - 'bugfix'
+      - 'bug'
+  - title: '🧰 Development'
+    label: 'dev'
+  - title: '🤖 Dependencies'
+    label: 'dependencies'
+  - title: '🔒 Security'
+    label: 'security'
+change-template: '- $TITLE @$AUTHOR (#$NUMBER)'
+change-title-escapes: '\<*_&' # You can add # and @ to disable mentions, and add ` to disable code blocks.
+version-resolver:
+  major:
+    labels:
+      - 'major'
+  minor:
+    labels:
+      - 'minor'
+  patch:
+    labels:
+      - 'patch'
+  default: patch
+template: |
+  ## Changes
+  $CHANGES

.github/workflows/ci.yaml

@@ -0,0 +1,51 @@
+name: "CI"
+on:
+  pull_request:
+  push:
+jobs:
+  tests-linux:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: cachix/install-nix-action@v22
+      with:
+        extra_nix_config: |
+          system-features = nixos-test recursive-nix benchmark big-parallel kvm
+          extra-experimental-features = recursive-nix nix-command flakes
+    - run: nix build
+    - run: nix build .#doc
+    - run: nix fmt . -- --check
+    - run: nix flake check
+  tests-darwin:
+    runs-on: macos-12
+    steps:
+    - uses: actions/checkout@v3
+    - uses: cachix/install-nix-action@v24
+      with:
+        extra_nix_config: |
+          system-features = nixos-test recursive-nix benchmark big-parallel kvm
+          extra-experimental-features = recursive-nix nix-command flakes
+    - run: nix build
+    - run: nix build .#doc
+    - run: nix fmt . -- --check
+    - run: nix flake check
+    - name: "Install nix-darwin module"
+      run: |
+        # https://github.com/ryantm/agenix/pull/230#issuecomment-1867025385
+
+        sudo mv /etc/nix/nix.conf{,.bak}
+        nix \
+          --extra-experimental-features 'nix-command flakes' \
+          build .#checks.x86_64-darwin.integration
+
+        ./result/activate-user
+        sudo ./result/activate
+    - name: "Test nix-darwin module"
+      run: |
+        sudo /run/current-system/sw/bin/agenix-integration
+    - name: "Test home-manager module"
+      run: |
+        # Do the job of `home-manager switch` in-line to avoid rate limiting
+        nix build .#homeConfigurations.integration-darwin.activationPackage
+        ./result/activate
+        ~/agenix-home-integration/bin/agenix-home-integration

.github/workflows/doc.yml

@@ -0,0 +1,41 @@
+# Simple workflow for deploying static content to GitHub Pages
+name: Deploy static content to Pages
+
+on:
+  # Runs on pushes targeting the default branch
+  push:
+    branches: [$default-branch]
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+# Allow one concurrent deployment
+concurrency:
+  group: "pages"
+  cancel-in-progress: true
+
+jobs:
+  # Single deploy job since we're just deploying
+  deploy:
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Pages
+        uses: actions/configure-pages@v3
+      - uses: cachix/install-nix-action@v20
+      - run: nix build .#doc && mkdir -p _site/ && cp -r ./result/multi/* _site/
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@v1
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v1

.github/workflows/flakehub-publish-tagged.yml

@@ -0,0 +1,27 @@
+name: "Publish tags to FlakeHub"
+on:
+  push:
+    tags:
+      - "v?[0-9]+.[0-9]+.[0-9]+*"
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "The existing tag to publish to FlakeHub"
+        type: "string"
+        required: true
+jobs:
+  flakehub-publish:
+    runs-on: "ubuntu-latest"
+    permissions:
+      id-token: "write"
+      contents: "read"
+    steps:
+      - uses: "actions/checkout@v3"
+        with:
+          ref: "${{ (inputs.tag != null) && format('refs/tags/{0}', inputs.tag) || '' }}"
+      - uses: "DeterminateSystems/nix-installer-action@main"
+      - uses: "DeterminateSystems/flakehub-push@main"
+        with:
+          visibility: "public"
+          name: "ryantm/agenix"
+          tag: "${{ inputs.tag }}"

.github/workflows/release-drafter.yml

@@ -0,0 +1,33 @@
+name: Release Drafter
+
+on:
+  push:
+    # branches to consider in the event; optional, defaults to all
+    branches:
+      - main
+  # pull_request event is required only for autolabeler
+  pull_request:
+    # Only following types are handled by the action, but one can default to all as well
+    types: [opened, reopened, synchronize]
+  # pull_request_target event is required for autolabeler to support PRs from forks
+  pull_request_target:
+    types: [opened, reopened, synchronize]
+
+permissions:
+  contents: read
+
+jobs:
+  update_release_draft:
+    permissions:
+      # write permission is required to create a github release
+      contents: write
+      # write permission is required for autolabeler
+      # otherwise, read permission is required at least
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      # Drafts your next Release notes as Pull Requests are merged into "main"
+      - uses: release-drafter/release-drafter@v5
+        continue-on-error: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -0,0 +1 @@
+/result

README.md

@@ -1,6 +1,32 @@
 # agenix - [age](https://github.com/FiloSottile/age)-encrypted secrets for NixOS
 
-`agenix` is a commandline tool for managing secrets encrypted with your existing SSH keys. This project also includes the NixOS module `age` for adding encrypted secrets into the Nix store and decrypting them.
+`agenix` is a small and convenient Nix library for securely managing and deploying secrets using common public-private SSH key pairs:
+You can encrypt a secret (password, access-token, etc.) on a source machine using a number of public SSH keys,
+and deploy that encrypted secret to any another target machine that has the corresponding private SSH key of one of those public keys.  
+This project contains two parts: 
+1. An `agenix` commandline app (CLI) to encrypt secrets into secured `.age` files that can be copied into the Nix store.
+2. An `agenix` NixOS module to conveniently
+    * add those encrypted secrets (`.age` files) into the Nix store so that they can be deployed like any other Nix package using `nixos-rebuild` or similar tools.
+    * automatically decrypt on a target machine using the private SSH keys on that machine
+    * automatically mount these decrypted secrets on a well known path like `/run/agenix/...` to be consumed.
+
+## Contents
+
+* [Problem and solution](#problem-and-solution)
+* [Features](#features)
+* [Installation](#installation)
+  * [niv](#install-via-niv)
+  * [nix-channel](#install-via-nix-channel)
+  * [fetchTarball](#install-via-fetchtarball)
+  * [flakes](#install-via-flakes)
+* [Tutorial](#tutorial)
+* [Reference](#reference)
+  * [`age` module reference](#age-module-reference)
+  * [agenix CLI reference](#agenix-cli-reference)
+* [Community and Support](#community-and-support)
+* [Threat model/Warnings](#threat-modelwarnings)
+* [Contributing](#contributing)
+* [Acknowledgements](#acknowledgements)
 
 ## Problem and solution
 
@@ -19,13 +45,16 @@ All files in the Nix store are readable by any system user, so it is not a suita
 
 ## Notices
 
-* If you want to manage user's hashed passwords, you must use a version of NixOS with [commit e6b8587](https://github.com/NixOS/nixpkgs/commit/e6b8587b25a19528695c5c270e6ff1c209705c31), so the root-owned secrets can be decrypted before the user activation script runs. Currently only available on `unstable`.
+* Password-protected ssh keys: since age does not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
 
 ## Installation
 
-Choose one of the following methods:
+<details>
+<summary>
 
-### [niv](https://github.com/nmattia/niv) (Current recommendation)
+### Install via [niv](https://github.com/nmattia/niv)
+
+</summary>
 
 First add it to niv:
 
@@ -33,40 +62,78 @@ First add it to niv:
 $ niv add ryantm/agenix
 ```
 
-#### Module
+#### Install module via niv
 
-Then add the following to your configuration.nix in the `imports` list:
+Then add the following to your `configuration.nix` in the `imports` list:
 
 ```nix
 {
-  imports = [ "${(import ./nix/sources.nix).agenix}/modules/age" ];
+  imports = [ "${(import ./nix/sources.nix).agenix}/modules/age.nix" ];
 }
 ```
 
-### nix-channel
+#### Install CLI via niv
 
-  As root run:
+To install the `agenix` binary:
+
+```nix
+{
+  environment.systemPackages = [ (pkgs.callPackage "${(import ./nix/sources.nix).agenix}/pkgs/agenix.nix" {}) ];
+}
+```
+
+</details>
+
+<details>
+<summary>
+
+### Install via nix-channel
+
+</summary>
+
+As root run:
 
 ```ShellSession
-$ nix-channel --add https://github.com/ryantm/agenix/archive/master.tar.gz agenix
-$ nix-channel --update
+$ sudo nix-channel --add https://github.com/ryantm/agenix/archive/main.tar.gz agenix
+$ sudo nix-channel --update
 ```
 
-  Than add the following to your configuration.nix in the `imports` list:
+#### Install module via nix-channel
+
+Then add the following to your `configuration.nix` in the `imports` list:
 
 ```nix
 {
-  imports = [ <agenix/modules/age> ];
+  imports = [ <agenix/modules/age.nix> ];
 }
 ```
 
-### fetchTarball
+#### Install CLI via nix-channel
 
-  Add the following to your configuration.nix:
+To install the `agenix` binary:
 
 ```nix
 {
-  imports = [ "${builtins.fetchTarball "https://github.com/ryantm/agenix/archive/master.tar.gz"}/modules/age" ];
+  environment.systemPackages = [ (pkgs.callPackage <agenix/pkgs/agenix.nix> {}) ];
+}
+```
+
+</details>
+
+<details>
+<summary>
+
+### Install via fetchTarball
+
+</summary>
+
+#### Install module via fetchTarball
+
+Add the following to your configuration.nix:
+
+```nix
+{
+  imports = [ "${builtins.fetchTarball "https://github.com/ryantm/agenix/archive/main.tar.gz"}/modules/age.nix" ];
 }
 ```
 
@@ -80,22 +147,41 @@ $ nix-channel --update
   in [
     "${builtins.fetchTarball {
       url = "https://github.com/ryantm/agenix/archive/${commit}.tar.gz";
-      # replace this with an actual hash
-      sha256 = "0000000000000000000000000000000000000000000000000000";
-    }}/modules/age"
+      # update hash from nix build output
+      sha256 = "";
+    }}/modules/age.nix"
   ];
 }
 ```
 
-### Flakes
+#### Install CLI via fetchTarball
 
-#### Module
+To install the `agenix` binary:
+
+```nix
+{
+  environment.systemPackages = [ (pkgs.callPackage "${builtins.fetchTarball "https://github.com/ryantm/agenix/archive/main.tar.gz"}/pkgs/agenix.nix" {}) ];
+}
+```
+
+</details>
+
+<details>
+<summary>
+
+### Install via Flakes
+
+</summary>
+
+#### Install module via Flakes
 
 ```nix
 {
   inputs.agenix.url = "github:ryantm/agenix";
   # optional, not necessary for the module
   #inputs.agenix.inputs.nixpkgs.follows = "nixpkgs";
+  # optionally choose not to download darwin deps (saves some resources on Linux)
+  #inputs.agenix.inputs.darwin.follows = "";
 
   outputs = { self, nixpkgs, agenix }: {
     # change `yourhostname` to your actual hostname
@@ -104,39 +190,69 @@ $ nix-channel --update
       system = "x86_64-linux";
       modules = [
         ./configuration.nix
-        agenix.nixosModules.age
+        agenix.nixosModules.default
       ];
     };
   };
 }
 ```
 
-#### CLI
+#### Install CLI via Flakes
 
-You don't need to install it,
+You can run the CLI tool ad-hoc without installing it:
 
 ```ShellSession
 nix run github:ryantm/agenix -- --help
 ```
 
-but, if you want to (change the system based on your system):
+But you can also add it permanently into a [NixOS module](https://wiki.nixos.org/wiki/NixOS_modules)
+(replace system "x86_64-linux" with your system):
 
 ```nix
 {
-  environment.systemPackages = [ agenix.defaultPackage.x86_64-linux ];
+  environment.systemPackages = [ agenix.packages.x86_64-linux.default ];
 }
 ```
 
+e.g. inside your `flake.nix` file:
+
+```nix
+{
+  inputs.agenix.url = "github:ryantm/agenix";
+  # ...
+
+  outputs = { self, nixpkgs, agenix }: {
+    # change `yourhostname` to your actual hostname
+    nixosConfigurations.yourhostname = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [
+        # ...
+        {
+          environment.systemPackages = [ agenix.packages.${system}.default ];
+        }
+      ];
+    };
+  };
+}
+```
+
+</details>
+
 ## Tutorial
 
-1. Make a directory to store secrets and `secrets.nix` file for listing secrets and their public keys:
+1. The system you want to deploy secrets to should already exist and
+   have `sshd` running on it so that it has generated SSH host keys in
+   `/etc/ssh/`.
 
+2. Make a directory to store secrets and `secrets.nix` file for listing secrets and their public keys:
    ```ShellSession
    $ mkdir secrets
-   $ cd secerts
+   $ cd secrets
    $ touch secrets.nix
    ```
-2. Add public keys to `secrets.nix` file (hint: use `ssh-keyscan` or GitHub (for example, https://github.com/ryantm.keys)):
+   This `secrets.nix` file is **not** imported into your NixOS configuration. 
+   It's only used for the `agenix` CLI tool (example below) to know which public keys to use for encryption.
+3. Add public keys to your `secrets.nix` file:
    ```nix
    let
      user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
@@ -152,17 +268,310 @@ but, if you want to (change the system based on your system):
      "secret2.age".publicKeys = users ++ systems;
    }
    ```
-3. Edit secret files (these instructions assume your SSH private key is in ~/.ssh/):
+   These are the users and systems that will be able to decrypt the `.age` files later with their corresponding private keys.
+   You can obtain the public keys from 
+   * your local computer usually in `~/.ssh`, e.g. `~/.ssh/id_ed25519.pub`.
+   * from a running target machine with `ssh-keyscan`:
+     ```ShellSession
+     $ ssh-keyscan <ip-address>
+     ... ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzxQgondgEYcLpcPdJLrTdNgZ2gznOHCAxMdaceTUT1
+     ...
+     ```
+   * from GitHub like https://github.com/ryantm.keys.
+4. Create a secret file:
    ```ShellSession
    $ agenix -e secret1.age
    ```
-4. Add secret to a NixOS module config:
+   It will open a temporary file in the app configured in your $EDITOR environment variable.
+   When you save that file its content will be encrypted with all the public keys mentioned in the `secrets.nix` file.
+5. Add secret to a NixOS module config:
    ```nix
-   age.secrets.secret1.file = ../secrets/secret1.age;
+   {
+     age.secrets.secret1.file = ../secrets/secret1.age;
+   }
    ```
-5. NixOS rebuild or use your deployment tool like usual.
+   When the `age.secrets` attribute set contains a secret, the `agenix` NixOS module will later automatically decrypt and mount that secret under the default path `/run/agenix/secret1`. 
+   Here the `secret1.age` file becomes part of your NixOS deployment, i.e. moves into the Nix store.
 
-## Rekeying
+6. Reference the secrets' mount path in your config:
+   ```nix
+   {
+     users.users.user1 = {
+       isNormalUser = true;
+       passwordFile = config.age.secrets.secret1.path;
+     };
+   }
+   ```
+   You can reference the mount path to the (later) unencrypted secret already in your other configuration.
+   So `config.age.secrets.secret1.path` will contain the path `/run/agenix/secret1` by default.
+7. Use `nixos-rebuild` or [another deployment tool](https://nixos.wiki/wiki/Applications#Deployment") of choice as usual.
+
+   The `secret1.age` file will be copied over to the target machine like any other Nix package. 
+   Then it will be decrypted and mounted as described before.
+8. Edit secret files:
+   ```ShellSession
+   $ agenix -e secret1.age
+   ```
+   It assumes your SSH private key is in `~/.ssh/`. 
+   In order to decrypt and open a `.age` file for editing you need the private key of one of the public keys 
+   it was encrypted with. You can pass the private key you want to use explicitly with `-i`, e.g.
+   ```ShellSession
+   $ agenix -e secret1.age -i ~/.ssh/id_ed25519
+   ```
+
+## Reference
+
+### `age` module reference
+
+#### `age.secrets`
+
+`age.secrets` attrset of secrets. You always need to use this
+configuration option. Defaults to `{}`.
+
+#### `age.secrets.<name>.file`
+
+`age.secrets.<name>.file` is the path to the encrypted `.age` for this
+secret. This is the only required secret option.
+
+Example:
+
+```nix
+{
+  age.secrets.monitrc.file = ../secrets/monitrc.age;
+}
+```
+
+#### `age.secrets.<name>.path`
+
+`age.secrets.<name>.path` is the path where the secret is decrypted
+to. Defaults to `/run/agenix/<name>` (`config.age.secretsDir/<name>`).
+
+Example defining a different path:
+
+```nix
+{
+  age.secrets.monitrc = {
+    file = ../secrets/monitrc.age;
+    path = "/etc/monitrc";
+  };
+}
+```
+
+For many services, you do not need to set this. Instead, refer to the
+decryption path in your configuration with
+`config.age.secrets.<name>.path`.
+
+Example referring to path:
+
+```nix
+{
+  users.users.ryantm = {
+    isNormalUser = true;
+    passwordFile = config.age.secrets.passwordfile-ryantm.path;
+  };
+}
+```
+
+##### builtins.readFile anti-pattern
+
+```nix
+{
+  # Do not do this!
+  config.password = builtins.readFile config.age.secrets.secret1.path;
+}
+```
+
+This can cause the cleartext to be placed into the world-readable Nix
+store. Instead, have your services read the cleartext path at runtime.
+
+#### `age.secrets.<name>.mode`
+
+`age.secrets.<name>.mode` is permissions mode of the decrypted secret
+in a format understood by chmod. Usually, you only need to use this in
+combination with `age.secrets.<name>.owner` and
+`age.secrets.<name>.group`
+
+Example:
+
+```nix
+{
+  age.secrets.nginx-htpasswd = {
+    file = ../secrets/nginx.htpasswd.age;
+    mode = "770";
+    owner = "nginx";
+    group = "nginx";
+  };
+}
+```
+
+#### `age.secrets.<name>.owner`
+
+`age.secrets.<name>.owner` is the username of the decrypted file's
+owner. Usually, you only need to use this in combination with
+`age.secrets.<name>.mode` and `age.secrets.<name>.group`
+
+Example:
+
+```nix
+{
+  age.secrets.nginx-htpasswd = {
+    file = ../secrets/nginx.htpasswd.age;
+    mode = "770";
+    owner = "nginx";
+    group = "nginx";
+  };
+}
+```
+
+#### `age.secrets.<name>.group`
+
+`age.secrets.<name>.group` is the name of the decrypted file's
+group. Usually, you only need to use this in combination with
+`age.secrets.<name>.owner` and `age.secrets.<name>.mode`
+
+Example:
+
+```nix
+{
+  age.secrets.nginx-htpasswd = {
+    file = ../secrets/nginx.htpasswd.age;
+    mode = "770";
+    owner = "nginx";
+    group = "nginx";
+  };
+}
+```
+
+#### `age.secrets.<name>.symlink`
+
+`age.secrets.<name>.symlink` is a boolean. If true (the default),
+secrets are symlinked to `age.secrets.<name>.path`. If false, secrets
+are copied to `age.secrets.<name>.path`. Usually, you want to keep
+this as true, because it secure cleanup of secrets no longer
+used. (The symlink will still be there, but it will be broken.) If
+false, you are responsible for cleaning up your own secrets after you
+stop using them.
+
+Some programs do not like following symlinks (for example Java
+programs like Elasticsearch).
+
+Example:
+
+```nix
+{
+  age.secrets."elasticsearch.conf" = {
+    file = ../secrets/elasticsearch.conf.age;
+    symlink = false;
+  };
+}
+```
+
+#### `age.secrets.<name>.name`
+
+`age.secrets.<name>.name` is the string of the name of the file after
+it is decrypted. Defaults to the `<name>` in the attrpath, but can be
+set separately if you want the file name to be different from the
+attribute name part.
+
+Example of a secret with a name different from its attrpath:
+
+```nix
+{
+  age.secrets.monit = {
+    name = "monitrc";
+    file = ../secrets/monitrc.age;
+  };
+}
+```
+
+#### `age.ageBin`
+
+`age.ageBin` the string of the path to the `age` binary. Usually, you
+don't need to change this. Defaults to `age/bin/age`.
+
+Overriding `age.ageBin` example:
+
+```nix
+{pkgs, ...}:{
+    age.ageBin = "${pkgs.age}/bin/age";
+}
+```
+
+#### `age.identityPaths`
+
+`age.identityPaths` is a list of paths to recipient keys to try to use to
+decrypt the secrets. By default, it is the `rsa` and `ed25519` keys in
+`config.services.openssh.hostKeys`, and on NixOS you usually don't need to
+change this. The list items should be strings (`"/path/to/id_rsa"`), not
+nix paths (`../path/to/id_rsa`), as the latter would copy your private key to
+the nix store, which is the exact situation `agenix` is designed to avoid. At
+least one of the file paths must be present at runtime and able to decrypt the
+secret in question. Overriding `age.identityPaths` example:
+
+```nix
+{
+    age.identityPaths = [ "/var/lib/persistent/ssh_host_ed25519_key" ];
+}
+```
+
+#### `age.secretsDir`
+
+`age.secretsDir` is the directory where secrets are symlinked to by
+default. Usually, you don't need to change this. Defaults to
+`/run/agenix`.
+
+Overriding `age.secretsDir` example:
+
+```nix
+{
+    age.secretsDir = "/run/keys";
+}
+```
+
+#### `age.secretsMountPoint`
+
+`age.secretsMountPoint` is the directory where the secret generations
+are created before they are symlinked. Usually, you don't need to
+change this. Defaults to `/run/agenix.d`.
+
+
+Overriding `age.secretsMountPoint` example:
+
+```nix
+{
+    age.secretsMountPoint = "/run/secret-generations";
+}
+```
+
+### agenix CLI reference
+
+```
+agenix - edit and rekey age secret files
+
+agenix -e FILE [-i PRIVATE_KEY]
+agenix -r [-i PRIVATE_KEY]
+
+options:
+-h, --help                show help
+-e, --edit FILE           edits FILE using $EDITOR
+-r, --rekey               re-encrypts all secrets with specified recipients
+-d, --decrypt FILE        decrypts FILE to STDOUT
+-i, --identity            identity to use when decrypting
+-v, --verbose             verbose output
+
+FILE an age-encrypted file
+
+PRIVATE_KEY a path to a private SSH key used to decrypt file
+
+EDITOR environment variable of editor to use when editing FILE
+
+If STDIN is not interactive, EDITOR will be set to "cp /dev/stdin"
+
+RULES environment variable with path to Nix file specifying recipient public keys.
+Defaults to './secrets.nix'
+```
+
+#### Rekeying
 
 If you change the public keys in `secrets.nix`, you should rekey your
 secrets:
@@ -176,9 +585,27 @@ randomness in `age`'s encryption algorithms, the files always change
 when rekeyed, even if the identities do not. (This eventually could be
 improved upon by reading the identities from the age file.)
 
+#### Overriding age binary
+
+The agenix CLI uses `age` by default as its age implemenation, you
+can use the `rage` implementation with Flakes like this:
+
+```nix
+{pkgs,agenix,...}:{
+  environment.systemPackages = [
+    (agenix.packages.x86_64-linux.default.override { ageBin = "${pkgs.rage}/bin/rage"; })
+  ];
+}
+```
+
+## Community and Support
+
+Support and development discussion is available here on GitHub and
+also through [Matrix](https://matrix.to/#/#agenix:nixos.org).
+
 ## Threat model/Warnings
 
-This project has not be audited by a security professional.
+This project has not been audited by a security professional.
 
 People unfamiliar with `age` might be surprised that secrets are not
 authenticated. This means that every attacker that has write access to
@@ -191,6 +618,35 @@ authentication code (MAC) like other implementations like GPG or
 [sops](https://github.com/Mic92/sops-nix) have, however this was left
 out for simplicity in `age`.
 
+## Contributing
+
+* The main branch is protected against direct pushes
+* All changes must go through GitHub PR review and get at least one approval
+* PR titles and commit messages should be prefixed with at least one of these categories:
+  * contrib - things that make the project development better
+  * doc - documentation
+  * feature - new features
+  * fix - bug fixes
+* Please update or make integration tests for new features
+* Use `nix fmt` to format nix code
+
+
+### Tests
+
+You can run the tests with
+
+```ShellSession
+nix flake check
+```
+
+You can run the integration tests in interactive mode like this:
+
+```ShellSession
+nix run .#checks.x86_64-linux.integration.driverInteractive
+```
+
+After it starts, enter `run_tests()` to run the tests.
+
 ## Acknowledgements
 
 This project is based off of [sops-nix](https://github.com/Mic92/sops-nix) created Mic92. Thank you to Mic92 for inspiration and advice.

contrib/_incr_version

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+grep -q "$1" pkgs/agenix.nix || (echo "Couldn't find version $1 in pkgs/agenix.nix" && exit 1)
+sed -i "s/$1/$2/g" pkgs/agenix.nix
+git add pkgs/agenix.nix
+git commit -m "version $2"
+exit 0

contrib/release

@@ -0,0 +1,67 @@
+#!/usr/bin/env nix-shell
+#! nix-shell -p python3 -i python
+
+# based off of https://git.sr.ht/~sircmpwn/dotfiles/tree/master/item/bin/semver
+
+import os
+import subprocess
+import sys
+import tempfile
+
+if subprocess.run(["git", "branch", "--show-current"], stdout=subprocess.PIPE
+        ).stdout.decode().strip() != "main":
+    print("WARNING! Not on the main branch.")
+
+subprocess.run(["git", "pull", "--rebase"])
+p = subprocess.run(["git", "describe", "--abbrev=0"], stdout=subprocess.PIPE)
+describe = p.stdout.decode().strip()
+old_version = describe.split("-")[0].split(".")
+if len(old_version) == 2:
+    [major, minor] = old_version
+    [major, minor] = map(int, [major, minor])
+    patch = 0
+else:
+    [major, minor, patch] = old_version
+    [major, minor, patch] = map(int, [major, minor, patch])
+
+p = subprocess.run(["git", "shortlog", "--no-merges", f"{describe}..HEAD"],
+        stdout=subprocess.PIPE)
+shortlog = p.stdout.decode()
+
+new_version = None
+
+if sys.argv[1] == "patch":
+    patch += 1
+elif sys.argv[1] == "minor":
+    minor += 1
+    patch = 0
+elif sys.argv[1] == "major":
+    major += 1
+    minor = patch = 0
+else:
+    new_version = sys.argv[1]
+
+if new_version is None:
+    if len(old_version) == 2 and patch == 0:
+        new_version = f"{major}.{minor}"
+    else:
+        new_version = f"{major}.{minor}.{patch}"
+
+p = None
+if os.path.exists("contrib/_incr_version"):
+    p = subprocess.run(["contrib/_incr_version", describe, new_version])
+else:
+    print("Warning: no _incr_version script. " +
+        "Does this project have any specific release requirements?")
+
+if p and p.returncode != 0:
+    print("Error: _incr_version returned nonzero exit code")
+    sys.exit(1)
+
+with tempfile.NamedTemporaryFile() as f:
+    basename = os.path.basename(os.getcwd())
+    f.write(f"{basename} {new_version}\n\n".encode())
+    f.write(shortlog.encode())
+    f.flush()
+    subprocess.run(["git", "tag", "-e", "-F", f.name, "-a", new_version])
+    print(new_version)

default.nix

@@ -1,4 +1,3 @@
-{ pkgs ? import <nixpkgs> {} }:
-{
-  agenix = pkgs.callPackage ./pkgs/agenix.nix  {};
+{pkgs ? import <nixpkgs> {}}: {
+  agenix = pkgs.callPackage ./pkgs/agenix.nix {};
 }

doc/acknowledgements.md

@@ -0,0 +1,3 @@
+# Acknowledgements {#acknowledgements}
+
+This project is based off of [sops-nix](https://github.com/Mic92/sops-nix) created Mic92. Thank you to Mic92 for inspiration and advice.

doc/community-and-support.md

@@ -0,0 +1,4 @@
+# Community and Support {#community-and-support}
+
+Support and development discussion is available here on GitHub and
+also through [Matrix](https://matrix.to/#/#agenix:nixos.org).

doc/contributing.md

@@ -0,0 +1,28 @@
+# Contributing {#contributing}
+
+* The main branch is protected against direct pushes
+* All changes must go through GitHub PR review and get at least one approval
+* PR titles and commit messages should be prefixed with at least one of these categories:
+  * contrib - things that make the project development better
+  * doc - documentation
+  * feature - new features
+  * fix - bug fixes
+* Please update or make integration tests for new features
+* Use `nix fmt` to format nix code
+
+
+## Tests
+
+You can run the tests with
+
+```ShellSession
+nix flake check
+```
+
+You can run the integration tests in interactive mode like this:
+
+```ShellSession
+nix run .#checks.x86_64-linux.integration.driverInteractive
+```
+
+After it starts, enter `run_tests()` to run the tests.

doc/features.md

@@ -0,0 +1,8 @@
+# Features {#features}
+
+* Secrets are encrypted with SSH keys
+  * system public keys via `ssh-keyscan`
+  * can use public keys available on GitHub for users (for example, https://github.com/ryantm.keys)
+* No GPG
+* Very little code, so it should be easy for you to audit
+* Encrypted secrets are stored in the Nix store, so a separate distribution mechanism is not necessary

doc/install-via-fetchtarball.md

@@ -0,0 +1,38 @@
+# Install via fetchTarball {#install-via-fetchtarball}
+
+#### Install module via fetchTarball
+
+Add the following to your configuration.nix:
+
+```nix
+{
+  imports = [ "${builtins.fetchTarball "https://github.com/ryantm/agenix/archive/main.tar.gz"}/modules/age.nix" ];
+}
+```
+
+  or with pinning:
+
+```nix
+{
+  imports = let
+    # replace this with an actual commit id or tag
+    commit = "298b235f664f925b433614dc33380f0662adfc3f";
+  in [
+    "${builtins.fetchTarball {
+      url = "https://github.com/ryantm/agenix/archive/${commit}.tar.gz";
+      # update hash from nix build output
+      sha256 = "";
+    }}/modules/age.nix"
+  ];
+}
+```
+
+#### Install CLI via fetchTarball
+
+To install the `agenix` binary:
+
+```nix
+{
+  environment.systemPackages = [ (pkgs.callPackage "${builtins.fetchTarball "https://github.com/ryantm/agenix/archive/main.tar.gz"}/pkgs/agenix.nix" {}) ];
+}
+```

doc/install-via-flakes.md

@@ -0,0 +1,39 @@
+# Install via Flakes {#install-via-flakes}
+
+## Install module via Flakes
+
+```nix
+{
+  inputs.agenix.url = "github:ryantm/agenix";
+  # optional, not necessary for the module
+  #inputs.agenix.inputs.nixpkgs.follows = "nixpkgs";
+
+  outputs = { self, nixpkgs, agenix }: {
+    # change `yourhostname` to your actual hostname
+    nixosConfigurations.yourhostname = nixpkgs.lib.nixosSystem {
+      # change to your system:
+      system = "x86_64-linux";
+      modules = [
+        ./configuration.nix
+        agenix.nixosModules.default
+      ];
+    };
+  };
+}
+```
+
+## Install CLI via Flakes
+
+You don't need to install it,
+
+```ShellSession
+nix run github:ryantm/agenix -- --help
+```
+
+but, if you want to (change the system based on your system):
+
+```nix
+{
+  environment.systemPackages = [ agenix.packages.x86_64-linux.default ];
+}
+```

doc/install-via-niv.md

@@ -0,0 +1,27 @@
+# Install via [niv](https://github.com/nmattia/niv) {#install-via-niv}
+
+First add it to niv:
+
+```ShellSession
+$ niv add ryantm/agenix
+```
+
+## Install module via niv
+
+Then add the following to your `configuration.nix` in the `imports` list:
+
+```nix
+{
+  imports = [ "${(import ./nix/sources.nix).agenix}/modules/age.nix" ];
+}
+```
+
+## Install CLI via niv
+
+To install the `agenix` binary:
+
+```nix
+{
+  environment.systemPackages = [ (pkgs.callPackage "${(import ./nix/sources.nix).agenix}/pkgs/agenix.nix" {}) ];
+}
+```

doc/install-via-nix-channel.md

@@ -0,0 +1,28 @@
+# Install via nix-channel {#install-via-nix-channel}
+
+As root run:
+
+```ShellSession
+$ sudo nix-channel --add https://github.com/ryantm/agenix/archive/main.tar.gz agenix
+$ sudo nix-channel --update
+```
+
+## Install module via nix-channel
+
+Then add the following to your `configuration.nix` in the `imports` list:
+
+```nix
+{
+  imports = [ <agenix/modules/age.nix> ];
+}
+```
+
+## Install CLI via nix-channel
+
+To install the `agenix` binary:
+
+```nix
+{
+  environment.systemPackages = [ (pkgs.callPackage <agenix/pkgs/agenix.nix> {}) ];
+}
+```

doc/introduction.md

@@ -0,0 +1,3 @@
+# agenix - [age](https://github.com/FiloSottile/age)-encrypted secrets for NixOS {#introduction}
+
+`agenix` is a commandline tool for managing secrets encrypted with your existing SSH keys. This project also includes the NixOS module `age` for adding encrypted secrets into the Nix store and decrypting them.

doc/notices.md

@@ -0,0 +1,3 @@
+# Notices {#notices}
+
+* Password-protected ssh keys: since age does not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.

doc/overriding-age-binary.md

@@ -0,0 +1,12 @@
+# Overriding age binary {#overriding-age-binary}
+
+The agenix CLI uses `age` by default as its age implemenation, you
+can use the `rage` implementation with Flakes like this:
+
+```nix
+{pkgs,agenix,...}:{
+  environment.systemPackages = [
+    (agenix.packages.x86_64-linux.default.override { ageBin = "${pkgs.rage}/bin/rage"; })
+  ];
+}
+```

doc/problem-and-solution.md

@@ -0,0 +1,5 @@
+# Problem and solution {#problem-and-solution}
+
+All files in the Nix store are readable by any system user, so it is not a suitable place for including cleartext secrets. Many existing tools (like NixOps deployment.keys) deploy secrets separately from `nixos-rebuild`, making deployment, caching, and auditing more difficult. Out-of-band secret management is also less reproducible.
+
+`agenix` solves these issues by using your pre-existing SSH key infrastructure and `age` to encrypt secrets into the Nix store. Secrets are decrypted using an SSH host private key during NixOS system activation.

doc/reference.md

@@ -0,0 +1,250 @@
+# Reference {#reference}
+
+## `age` module reference {#age-module-reference}
+
+### `age.secrets`
+
+`age.secrets` attrset of secrets. You always need to use this
+configuration option. Defaults to `{}`.
+
+### `age.secrets.<name>.file`
+
+`age.secrets.<name>.file` is the path to the encrypted `.age` for this
+secret. This is the only required secret option.
+
+Example:
+
+```nix
+{
+  age.secrets.monitrc.file = ../secrets/monitrc.age;
+}
+```
+
+### `age.secrets.<name>.path`
+
+`age.secrets.<name>.path` is the path where the secret is decrypted
+to. Defaults to `/run/agenix/<name>` (`config.age.secretsDir/<name>`).
+
+Example defining a different path:
+
+```nix
+{
+  age.secrets.monitrc = {
+    file = ../secrets/monitrc.age;
+    path = "/etc/monitrc";
+  };
+}
+```
+
+For many services, you do not need to set this. Instead, refer to the
+decryption path in your configuration with
+`config.age.secrets.<name>.path`.
+
+Example referring to path:
+
+```nix
+{
+  users.users.ryantm = {
+    isNormalUser = true;
+    passwordFile = config.age.secrets.passwordfile-ryantm.path;
+  };
+}
+```
+
+#### builtins.readFile anti-pattern
+
+```nix
+{
+  # Do not do this!
+  config.password = builtins.readFile config.age.secrets.secret1.path;
+}
+```
+
+This can cause the cleartext to be placed into the world-readable Nix
+store. Instead, have your services read the cleartext path at runtime.
+
+### `age.secrets.<name>.mode`
+
+`age.secrets.<name>.mode` is permissions mode of the decrypted secret
+in a format understood by chmod. Usually, you only need to use this in
+combination with `age.secrets.<name>.owner` and
+`age.secrets.<name>.group`
+
+Example:
+
+```nix
+{
+  age.secrets.nginx-htpasswd = {
+    file = ../secrets/nginx.htpasswd.age;
+    mode = "770";
+    owner = "nginx";
+    group = "nginx";
+  };
+}
+```
+
+### `age.secrets.<name>.owner`
+
+`age.secrets.<name>.owner` is the username of the decrypted file's
+owner. Usually, you only need to use this in combination with
+`age.secrets.<name>.mode` and `age.secrets.<name>.group`
+
+Example:
+
+```nix
+{
+  age.secrets.nginx-htpasswd = {
+    file = ../secrets/nginx.htpasswd.age;
+    mode = "770";
+    owner = "nginx";
+    group = "nginx";
+  };
+}
+```
+
+### `age.secrets.<name>.group`
+
+`age.secrets.<name>.group` is the name of the decrypted file's
+group. Usually, you only need to use this in combination with
+`age.secrets.<name>.owner` and `age.secrets.<name>.mode`
+
+Example:
+
+```nix
+{
+  age.secrets.nginx-htpasswd = {
+    file = ../secrets/nginx.htpasswd.age;
+    mode = "770";
+    owner = "nginx";
+    group = "nginx";
+  };
+}
+```
+
+### `age.secrets.<name>.symlink`
+
+`age.secrets.<name>.symlink` is a boolean. If true (the default),
+secrets are symlinked to `age.secrets.<name>.path`. If false, secerts
+are copied to `age.secrets.<name>.path`. Usually, you want to keep
+this as true, because it secure cleanup of secrets no longer
+used. (The symlink will still be there, but it will be broken.) If
+false, you are responsible for cleaning up your own secrets after you
+stop using them.
+
+Some programs do not like following symlinks (for example Java
+programs like Elasticsearch).
+
+Example:
+
+```nix
+{
+  age.secrets."elasticsearch.conf" = {
+    file = ../secrets/elasticsearch.conf.age;
+    symlink = false;
+  };
+}
+```
+
+### `age.secrets.<name>.name`
+
+`age.secrets.<name>.name` is the string of the name of the file after
+it is decrypted. Defaults to the `<name>` in the attrpath, but can be
+set separately if you want the file name to be different from the
+attribute name part.
+
+Example of a secret with a name different from its attrpath:
+
+```nix
+{
+  age.secrets.monit = {
+    name = "monitrc";
+    file = ../secrets/monitrc.age;
+  };
+}
+```
+
+### `age.ageBin`
+
+`age.ageBin` the string of the path to the `age` binary. Usually, you
+don't need to change this. Defaults to `age/bin/age`.
+
+Overriding `age.ageBin` example:
+
+```nix
+{pkgs, ...}:{
+    age.ageBin = "${pkgs.age}/bin/age";
+}
+```
+
+### `age.identityPaths`
+
+`age.identityPaths` is a list of paths to recipient keys to try to use to
+decrypt the secrets. By default, it is the `rsa` and `ed25519` keys in
+`config.services.openssh.hostKeys`, and on NixOS you usually don't need to
+change this. The list items should be strings (`"/path/to/id_rsa"`), not
+nix paths (`../path/to/id_rsa`), as the latter would copy your private key to
+the nix store, which is the exact situation `agenix` is designed to avoid. At
+least one of the file paths must be present at runtime and able to decrypt the
+secret in question. Overriding `age.identityPaths` example:
+
+```nix
+{
+    age.identityPaths = [ "/var/lib/persistent/ssh_host_ed25519_key" ];
+}
+```
+
+### `age.secretsDir`
+
+`age.secretsDir` is the directory where secrets are symlinked to by
+default.Usually, you don't need to change this. Defaults to
+`/run/agenix`.
+
+Overriding `age.secretsDir` example:
+
+```nix
+{
+    age.secretsDir = "/run/keys";
+}
+```
+
+### `age.secretsMountPoint`
+
+`age.secretsMountPoint` is the directory where the secret generations
+are created before they are symlinked. Usually, you don't need to
+change this. Defaults to `/run/agenix.d`.
+
+
+Overriding `age.secretsMountPoint` example:
+
+```nix
+{
+    age.secretsMountPoint = "/run/secret-generations";
+}
+```
+
+## agenix CLI reference {#agenix-cli-reference}
+
+```
+agenix - edit and rekey age secret files
+
+agenix -e FILE [-i PRIVATE_KEY]
+agenix -r [-i PRIVATE_KEY]
+
+options:
+-h, --help                show help
+-e, --edit FILE           edits FILE using $EDITOR
+-r, --rekey               re-encrypts all secrets with specified recipients
+-d, --decrypt FILE        decrypts FILE to STDOUT
+-i, --identity            identity to use when decrypting
+-v, --verbose             verbose output
+
+FILE an age-encrypted file
+
+PRIVATE_KEY a path to a private SSH key used to decrypt file
+
+EDITOR environment variable of editor to use when editing FILE
+
+If STDIN is not interactive, EDITOR will be set to "cp /dev/stdin"
+
+RULES environment variable with path to Nix file specifying recipient public keys.
+Defaults to './secrets.nix'

doc/rekeying.md

@@ -0,0 +1,13 @@
+# Rekeying {#rekeying}
+
+If you change the public keys in `secrets.nix`, you should rekey your
+secrets:
+
+```ShellSession
+$ agenix --rekey
+```
+
+To rekey a secret, you have to be able to decrypt it. Because of
+randomness in `age`'s encryption algorithms, the files always change
+when rekeyed, even if the identities do not. (This eventually could be
+improved upon by reading the identities from the age file.)

doc/threat-model-warnings.md

@@ -0,0 +1,14 @@
+# Threat model/Warnings {#threat-model-warnings}
+
+This project has not been audited by a security professional.
+
+People unfamiliar with `age` might be surprised that secrets are not
+authenticated. This means that every attacker that has write access to
+the secret files can modify secrets because public keys are exposed.
+This seems like not a problem on the first glance because changing the
+configuration itself could expose secrets easily. However, reviewing
+configuration changes is easier than reviewing random secrets (for
+example, 4096-bit rsa keys). This would be solved by having a message
+authentication code (MAC) like other implementations like GPG or
+[sops](https://github.com/Mic92/sops-nix) have, however this was left
+out for simplicity in `age`.

doc/toc.md

@@ -0,0 +1,18 @@
+# agenix
+
+* [Introduction](#introduction)
+* [Problem and solution](#problem-and-solution)
+* [Features](#features)
+* Installation
+  * [flakes](#install-via-flakes)
+  * [niv](#install-via-niv)
+  * [fetchTarball](#install-via-fetchtarball)
+  * [nix-channel](#install-via-nix-channel)
+* [Tutorial](#tutorial)
+* [Reference](#reference)
+  * [`age` module reference](#age-module-reference)
+  * [agenix CLI reference](#agenix-cli-reference)
+* [Community and Support](#community-and-support)
+* [Threat model/Warnings](#threat-model-warnings)
+* [Contributing](#contributing)
+* [Acknowledgements](#acknowledgements)

doc/tutorial.md

@@ -0,0 +1,51 @@
+# Tutorial {#tutorial}
+
+1. The system you want to deploy secrets to should already exist and
+   have `sshd` running on it so that it has generated SSH host keys in
+   `/etc/ssh/`.
+
+2. Make a directory to store secrets and `secrets.nix` file for listing secrets and their public keys (This file is **not** imported into your NixOS configuration. It is only used for the `agenix` CLI.):
+
+   ```ShellSession
+   $ mkdir secrets
+   $ cd secrets
+   $ touch secrets.nix
+   ```
+3. Add public keys to `secrets.nix` file (hint: use `ssh-keyscan` or GitHub (for example, https://github.com/ryantm.keys)):
+   ```nix
+   let
+     user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
+     user2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILI6jSq53F/3hEmSs+oq9L4TwOo1PrDMAgcA1uo1CCV/";
+     users = [ user1 user2 ];
+
+     system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
+     system2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzxQgondgEYcLpcPdJLrTdNgZ2gznOHCAxMdaceTUT1";
+     systems = [ system1 system2 ];
+   in
+   {
+     "secret1.age".publicKeys = [ user1 system1 ];
+     "secret2.age".publicKeys = users ++ systems;
+   }
+   ```
+4. Edit secret files (these instructions assume your SSH private key is in ~/.ssh/):
+   ```ShellSession
+   $ agenix -e secret1.age
+   ```
+5. Add secret to a NixOS module config:
+   ```nix
+   {
+     age.secrets.secret1.file = ../secrets/secret1.age;
+   }
+   ```
+6. Use the secret in your config:
+   ```nix
+   {
+     users.users.user1 = {
+       isNormalUser = true;
+       passwordFile = config.age.secrets.secret1.path;
+     };
+   }
+   ```
+7. NixOS rebuild or use your deployment tool like usual.
+
+   The secret will be decrypted to the value of `config.age.secrets.secret1.path` (`/run/agenix/secret1` by default).

example/passwordfile-user1.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 KLPP8w s1DYZRlZuSsyhmZCF1lFB+E9vB8bZ/+ZhBRlx8nprwE
+nmYVCsVBrX2CFXXPU+D+bbkkIe/foofp+xoUrg9DHZw
+-> ssh-ed25519 V3XmEA Pwv3oCwcY0DX8rY48UNfsj9RumWsn4dbgorYHCwObgI
+FKxRYkL3JHtJxUwymWDF0rAtJ33BivDI6IfPsfumM90
+-> V'v(/u$-grease em/Vgf 2qDuk
+7I3iiQLPGi1COML9u/JeYkr7EqbSLoU
+--- 57WJRigUGtmcObrssS3s4PvmR8wgh1AOC/ijJn1s3xI
+<EFBFBD>'K©Æ·Y&‘7GÆOÝòFj
±kÆXç«BnuJöê:9Ê(’ÙÏX¬#¼AíÄÞÃÚ§j’,ê_ÈþÝ?ÝZ“¥vœ¹V’96]oks~%£c	Îe^CÅ%JQ5€<H¢z}îCý,°pŒ¿*!W§§ÈA±º­Ò…dC¼K)¿¢-žy

example/secrets.nix

@@ -1,8 +1,8 @@
 let
   user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
   system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
-in
-{
-  "secret1.age".publicKeys = [ user1 system1 ];
-  "secret2.age".publicKeys = [ user1 ];
+in {
+  "secret1.age".publicKeys = [user1 system1];
+  "secret2.age".publicKeys = [user1];
+  "passwordfile-user1.age".publicKeys = [user1 system1];
 }

flake.lock

@@ -1,38 +1,83 @@
 {
   "nodes": {
-    "flake-utils": {
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
       "locked": {
-        "lastModified": 1600209923,
-        "narHash": "sha256-zoOWauTliFEjI++esk6Jzk7QO5EKpddWXQm9yQK24iM=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "3cd06d3c1df6879c9e41cb2c33113df10566c760",
+        "lastModified": 1700795494,
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
         "type": "github"
       },
       "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703113217,
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
         "type": "github"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1599148892,
-        "narHash": "sha256-V76c6DlI0ZZffvbBpxGlpVSpXxZ14QpFHwAvEEujIsY=",
+        "lastModified": 1703013332,
+        "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7ff50a7f7b9a701228f870813fe58f01950f870b",
+        "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
         "type": "github"
       },
       "original": {
-        "id": "nixpkgs",
-        "type": "indirect"
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
       }
     },
     "root": {
       "inputs": {
-        "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs"
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": "nixpkgs",
+        "systems": "systems"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
       }
     }
   },

flake.nix

@@ -1,13 +1,89 @@
 {
   description = "Secret management with age";
 
-  inputs.flake-utils.url = "github:numtide/flake-utils";
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    darwin = {
+      url = "github:lnl7/nix-darwin/master";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    home-manager = {
+      url = "github:nix-community/home-manager";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    systems.url = "github:nix-systems/default";
+  };
 
-  outputs = { self, nixpkgs, flake-utils }:
-    flake-utils.lib.eachDefaultSystem (system:
-      {
-        nixosModules.age = import ./modules/age.nix;
-        packages = nixpkgs.legacyPackages.${system}.callPackage ./default.nix {};
-        defaultPackage = self.packages.${system}.agenix;
-      });
+  outputs = {
+    self,
+    nixpkgs,
+    darwin,
+    home-manager,
+    systems,
+  }: let
+    eachSystem = nixpkgs.lib.genAttrs (import systems);
+  in {
+    nixosModules.age = import ./modules/age.nix;
+    nixosModules.default = self.nixosModules.age;
+
+    darwinModules.age = import ./modules/age.nix;
+    darwinModules.default = self.darwinModules.age;
+
+    homeManagerModules.age = import ./modules/age-home.nix;
+    homeManagerModules.default = self.homeManagerModules.age;
+
+    overlays.default = import ./overlay.nix;
+
+    formatter = eachSystem (system: nixpkgs.legacyPackages.${system}.alejandra);
+
+    packages = eachSystem (system: {
+      agenix = nixpkgs.legacyPackages.${system}.callPackage ./pkgs/agenix.nix {};
+      doc = nixpkgs.legacyPackages.${system}.callPackage ./pkgs/doc.nix {inherit self;};
+      default = self.packages.${system}.agenix;
+    });
+
+    checks =
+      nixpkgs.lib.genAttrs ["aarch64-darwin" "x86_64-darwin"] (system: {
+        integration =
+          (darwin.lib.darwinSystem {
+            inherit system;
+            modules = [
+              ./test/integration_darwin.nix
+
+              # Allow new-style nix commands in CI
+              {nix.extraOptions = "experimental-features = nix-command flakes";}
+
+              home-manager.darwinModules.home-manager
+              {
+                home-manager = {
+                  verbose = true;
+                  useGlobalPkgs = true;
+                  useUserPackages = true;
+                  backupFileExtension = "hmbak";
+                  users.runner = ./test/integration_hm_darwin.nix;
+                };
+              }
+            ];
+          })
+          .system;
+      })
+      // {
+        x86_64-linux.integration = import ./test/integration.nix {
+          inherit nixpkgs home-manager;
+          pkgs = nixpkgs.legacyPackages.x86_64-linux;
+          system = "x86_64-linux";
+        };
+      };
+
+    darwinConfigurations.integration-x86_64.system = self.checks.x86_64-darwin.integration;
+    darwinConfigurations.integration-aarch64.system = self.checks.aarch64-darwin.integration;
+
+    # Work-around for https://github.com/nix-community/home-manager/issues/3075
+    legacyPackages = nixpkgs.lib.genAttrs ["aarch64-darwin" "x86_64-darwin"] (system: {
+      homeConfigurations.integration-darwin = home-manager.lib.homeManagerConfiguration {
+        pkgs = nixpkgs.legacyPackages.${system};
+        modules = [./test/integration_hm_darwin.nix];
+      };
+    });
+  };
 }

modules/age-home.nix

@@ -0,0 +1,237 @@
+{
+  config,
+  options,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.age;
+
+  ageBin = lib.getExe config.age.package;
+
+  newGeneration = ''
+    _agenix_generation="$(basename "$(readlink "${cfg.secretsDir}")" || echo 0)"
+    (( ++_agenix_generation ))
+    echo "[agenix] creating new generation in ${cfg.secretsMountPoint}/$_agenix_generation"
+    mkdir -p "${cfg.secretsMountPoint}"
+    chmod 0751 "${cfg.secretsMountPoint}"
+    mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation"
+    chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation"
+  '';
+
+  setTruePath = secretType: ''
+    ${
+      if secretType.symlink
+      then ''
+        _truePath="${cfg.secretsMountPoint}/$_agenix_generation/${secretType.name}"
+      ''
+      else ''
+        _truePath="${secretType.path}"
+      ''
+    }
+  '';
+
+  installSecret = secretType: ''
+    ${setTruePath secretType}
+    echo "decrypting '${secretType.file}' to '$_truePath'..."
+    TMP_FILE="$_truePath.tmp"
+
+    IDENTITIES=()
+    # shellcheck disable=2043
+    for identity in ${toString cfg.identityPaths}; do
+      test -r "$identity" || continue
+      IDENTITIES+=(-i)
+      IDENTITIES+=("$identity")
+    done
+
+    test "''${#IDENTITIES[@]}" -eq 0 && echo "[agenix] WARNING: no readable identities found!"
+
+    mkdir -p "$(dirname "$_truePath")"
+    # shellcheck disable=SC2193,SC2050
+    [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && mkdir -p "$(dirname "${secretType.path}")"
+    (
+      umask u=r,g=,o=
+      test -f "${secretType.file}" || echo '[agenix] WARNING: encrypted file ${secretType.file} does not exist!'
+      test -d "$(dirname "$TMP_FILE")" || echo "[agenix] WARNING: $(dirname "$TMP_FILE") does not exist!"
+      LANG=${config.i18n.defaultLocale or "C"} ${ageBin} --decrypt "''${IDENTITIES[@]}" -o "$TMP_FILE" "${secretType.file}"
+    )
+    chmod ${secretType.mode} "$TMP_FILE"
+    mv -f "$TMP_FILE" "$_truePath"
+
+    ${optionalString secretType.symlink ''
+      # shellcheck disable=SC2193,SC2050
+      [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfn "${cfg.secretsDir}/${secretType.name}" "${secretType.path}"
+    ''}
+  '';
+
+  testIdentities =
+    map
+    (path: ''
+      test -f ${path} || echo '[agenix] WARNING: config.age.identityPaths entry ${path} not present!'
+    '')
+    cfg.identityPaths;
+
+  cleanupAndLink = ''
+    _agenix_generation="$(basename "$(readlink "${cfg.secretsDir}")" || echo 0)"
+    (( ++_agenix_generation ))
+    echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..."
+    ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" "${cfg.secretsDir}"
+
+    (( _agenix_generation > 1 )) && {
+    echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."
+    rm -rf "${cfg.secretsMountPoint}/$(( _agenix_generation - 1 ))"
+    }
+  '';
+
+  installSecrets = builtins.concatStringsSep "\n" (
+    ["echo '[agenix] decrypting secrets...'"]
+    ++ testIdentities
+    ++ (map installSecret (builtins.attrValues cfg.secrets))
+    ++ [cleanupAndLink]
+  );
+
+  secretType = types.submodule ({
+    config,
+    name,
+    ...
+  }: {
+    options = {
+      name = mkOption {
+        type = types.str;
+        default = name;
+        description = ''
+          Name of the file used in ''${cfg.secretsDir}
+        '';
+      };
+      file = mkOption {
+        type = types.path;
+        description = ''
+          Age file the secret is loaded from.
+        '';
+      };
+      path = mkOption {
+        type = types.str;
+        default = "${cfg.secretsDir}/${config.name}";
+        description = ''
+          Path where the decrypted secret is installed.
+        '';
+      };
+      mode = mkOption {
+        type = types.str;
+        default = "0400";
+        description = ''
+          Permissions mode of the decrypted secret in a format understood by chmod.
+        '';
+      };
+      symlink = mkEnableOption "symlinking secrets to their destination" // {default = true;};
+    };
+  });
+
+  mountingScript = let
+    app = pkgs.writeShellApplication {
+      name = "agenix-home-manager-mount-secrets";
+      runtimeInputs = with pkgs; [coreutils];
+      text = ''
+        ${newGeneration}
+        ${installSecrets}
+        exit 0
+      '';
+    };
+  in
+    lib.getExe app;
+
+  userDirectory = dir: let
+    inherit (pkgs.stdenv.hostPlatform) isDarwin;
+    baseDir =
+      if isDarwin
+      then "$(getconf DARWIN_USER_TEMP_DIR)"
+      else "$XDG_RUNTIME_DIR";
+  in "${baseDir}/${dir}";
+
+  userDirectoryDescription = dir:
+    literalExpression ''
+      "$XDG_RUNTIME_DIR"/${dir} on linux or "$(getconf DARWIN_USER_TEMP_DIR)"/${dir} on darwin.
+    '';
+in {
+  options.age = {
+    package = mkPackageOption pkgs "age" {};
+
+    secrets = mkOption {
+      type = types.attrsOf secretType;
+      default = {};
+      description = ''
+        Attrset of secrets.
+      '';
+    };
+
+    identityPaths = mkOption {
+      type = types.listOf types.path;
+      default = [
+        "${config.home.homeDirectory}/.ssh/id_ed25519"
+        "${config.home.homeDirectory}/.ssh/id_rsa"
+      ];
+      defaultText = literalExpression ''
+        [
+          "''${config.home.homeDirectory}/.ssh/id_ed25519"
+          "''${config.home.homeDirectory}/.ssh/id_rsa"
+        ]
+      '';
+      description = ''
+        Path to SSH keys to be used as identities in age decryption.
+      '';
+    };
+
+    secretsDir = mkOption {
+      type = types.str;
+      default = userDirectory "agenix";
+      defaultText = userDirectoryDescription "agenix";
+      description = ''
+        Folder where secrets are symlinked to
+      '';
+    };
+
+    secretsMountPoint = mkOption {
+      default = userDirectory "agenix.d";
+      defaultText = userDirectoryDescription "agenix.d";
+      description = ''
+        Where secrets are created before they are symlinked to ''${cfg.secretsDir}
+      '';
+    };
+  };
+
+  config = mkIf (cfg.secrets != {}) {
+    assertions = [
+      {
+        assertion = cfg.identityPaths != [];
+        message = "age.identityPaths must be set.";
+      }
+    ];
+
+    systemd.user.services.agenix = lib.mkIf pkgs.stdenv.hostPlatform.isLinux {
+      Unit = {
+        Description = "agenix activation";
+      };
+      Service = {
+        Type = "oneshot";
+        ExecStart = mountingScript;
+      };
+      Install.WantedBy = ["default.target"];
+    };
+
+    launchd.agents.activate-agenix = {
+      enable = true;
+      config = {
+        ProgramArguments = [mountingScript];
+        KeepAlive = {
+          Crashed = false;
+          SuccessfulExit = false;
+        };
+        RunAtLoad = true;
+        ProcessType = "Background";
+        StandardOutPath = "${config.home.homeDirectory}/Library/Logs/agenix/stdout";
+        StandardErrorPath = "${config.home.homeDirectory}/Library/Logs/agenix/stderr";
+      };
+    };
+  };
+}

modules/age.nix

@@ -1,38 +1,142 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
+{
+  config,
+  options,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
   cfg = config.age;
-  rage = pkgs.callPackage ../pkgs/rage.nix {};
-  ageBin = "${rage}/bin/rage";
+
+  isDarwin = lib.attrsets.hasAttrByPath ["environment" "darwinConfig"] options;
+
+  ageBin = config.age.ageBin;
 
   users = config.users.users;
 
-  identities = builtins.concatStringsSep " " (map (path: "-i ${path}") cfg.sshKeyPaths);
-  installSecret = secretType: ''
-    echo "decrypting ${secretType.file} to ${secretType.path}..."
-    TMP_FILE="${secretType.path}.tmp"
-    mkdir -p $(dirname ${secretType.path})
-    (umask 0400; ${ageBin} --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}")
-    chmod ${secretType.mode} "$TMP_FILE"
-    chown ${secretType.owner}:${secretType.group} "$TMP_FILE"
-    mv -f "$TMP_FILE" '${secretType.path}'
+  mountCommand =
+    if isDarwin
+    then ''
+      if ! diskutil info "${cfg.secretsMountPoint}" &> /dev/null; then
+          num_sectors=1048576
+          dev=$(hdiutil attach -nomount ram://"$num_sectors" | sed 's/[[:space:]]*$//')
+          newfs_hfs -v agenix "$dev"
+          mount -t hfs -o nobrowse,nodev,nosuid,-m=0751 "$dev" "${cfg.secretsMountPoint}"
+      fi
+    ''
+    else ''
+      grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts ||
+        mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751
+    '';
+  newGeneration = ''
+    _agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
+    (( ++_agenix_generation ))
+    echo "[agenix] creating new generation in ${cfg.secretsMountPoint}/$_agenix_generation"
+    mkdir -p "${cfg.secretsMountPoint}"
+    chmod 0751 "${cfg.secretsMountPoint}"
+    ${mountCommand}
+    mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation"
+    chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation"
   '';
 
-  rootOwnedSecrets = builtins.filter (st: st.owner == "root" && st.group == "root") (builtins.attrValues cfg.secrets);
-  installRootOwnedSecrets = builtins.concatStringsSep "\n" (["echo '[agenix] decrypting root secrets...'"] ++ (map installSecret rootOwnedSecrets));
+  chownGroup =
+    if isDarwin
+    then "admin"
+    else "keys";
+  # chown the secrets mountpoint and the current generation to the keys group
+  # instead of leaving it root:root.
+  chownMountPoint = ''
+    chown :${chownGroup} "${cfg.secretsMountPoint}" "${cfg.secretsMountPoint}/$_agenix_generation"
+  '';
 
-  nonRootSecrets = builtins.filter (st: st.owner != "root" && st.group != "root") (builtins.attrValues cfg.secrets);
-  installNonRootSecrets = builtins.concatStringsSep "\n" (["echo '[agenix] decrypting non-root secrets...'"] ++ (map installSecret nonRootSecrets));
+  setTruePath = secretType: ''
+    ${
+      if secretType.symlink
+      then ''
+        _truePath="${cfg.secretsMountPoint}/$_agenix_generation/${secretType.name}"
+      ''
+      else ''
+        _truePath="${secretType.path}"
+      ''
+    }
+  '';
 
-  secretType = types.submodule ({ config, ... }: {
+  installSecret = secretType: ''
+    ${setTruePath secretType}
+    echo "decrypting '${secretType.file}' to '$_truePath'..."
+    TMP_FILE="$_truePath.tmp"
+
+    IDENTITIES=()
+    for identity in ${toString cfg.identityPaths}; do
+      test -r "$identity" || continue
+      test -s "$identity" || continue
+      IDENTITIES+=(-i)
+      IDENTITIES+=("$identity")
+    done
+
+    test "''${#IDENTITIES[@]}" -eq 0 && echo "[agenix] WARNING: no readable identities found!"
+
+    mkdir -p "$(dirname "$_truePath")"
+    [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && mkdir -p "$(dirname "${secretType.path}")"
+    (
+      umask u=r,g=,o=
+      test -f "${secretType.file}" || echo '[agenix] WARNING: encrypted file ${secretType.file} does not exist!'
+      test -d "$(dirname "$TMP_FILE")" || echo "[agenix] WARNING: $(dirname "$TMP_FILE") does not exist!"
+      LANG=${config.i18n.defaultLocale or "C"} ${ageBin} --decrypt "''${IDENTITIES[@]}" -o "$TMP_FILE" "${secretType.file}"
+    )
+    chmod ${secretType.mode} "$TMP_FILE"
+    mv -f "$TMP_FILE" "$_truePath"
+
+    ${optionalString secretType.symlink ''
+      [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfn "${cfg.secretsDir}/${secretType.name}" "${secretType.path}"
+    ''}
+  '';
+
+  testIdentities =
+    map
+    (path: ''
+      test -f ${path} || echo '[agenix] WARNING: config.age.identityPaths entry ${path} not present!'
+    '')
+    cfg.identityPaths;
+
+  cleanupAndLink = ''
+    _agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
+    (( ++_agenix_generation ))
+    echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..."
+    ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir}
+
+    (( _agenix_generation > 1 )) && {
+    echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."
+    rm -rf "${cfg.secretsMountPoint}/$(( _agenix_generation - 1 ))"
+    }
+  '';
+
+  installSecrets = builtins.concatStringsSep "\n" (
+    ["echo '[agenix] decrypting secrets...'"]
+    ++ testIdentities
+    ++ (map installSecret (builtins.attrValues cfg.secrets))
+    ++ [cleanupAndLink]
+  );
+
+  chownSecret = secretType: ''
+    ${setTruePath secretType}
+    chown ${secretType.owner}:${secretType.group} "$_truePath"
+  '';
+
+  chownSecrets = builtins.concatStringsSep "\n" (
+    ["echo '[agenix] chowning...'"]
+    ++ [chownMountPoint]
+    ++ (map chownSecret (builtins.attrValues cfg.secrets))
+  );
+
+  secretType = types.submodule ({config, ...}: {
     options = {
       name = mkOption {
         type = types.str;
         default = config._module.args.name;
+        defaultText = literalExpression "config._module.args.name";
         description = ''
-          Name of the file used in /run/secrets
+          Name of the file used in {option}`age.secretsDir`
         '';
       };
       file = mkOption {
@@ -42,37 +146,58 @@ let
         '';
       };
       path = mkOption {
-          type = types.str;
-          default = "/run/secrets/${config.name}";
-          description = ''
-            Path where the decrypted secret is installed.
-          '';
-        };
+        type = types.str;
+        default = "${cfg.secretsDir}/${config.name}";
+        defaultText = literalExpression ''
+          "''${cfg.secretsDir}/''${config.name}"
+        '';
+        description = ''
+          Path where the decrypted secret is installed.
+        '';
+      };
       mode = mkOption {
         type = types.str;
         default = "0400";
         description = ''
-          Permissions mode of the in octal.
+          Permissions mode of the decrypted secret in a format understood by chmod.
         '';
       };
       owner = mkOption {
         type = types.str;
-        default = "root";
+        default = "0";
         description = ''
-          User of the file.
+          User of the decrypted secret.
         '';
       };
       group = mkOption {
         type = types.str;
-        default = users.${config.owner}.group;
+        default = users.${config.owner}.group or "0";
+        defaultText = literalExpression ''
+          users.''${config.owner}.group or "0"
+        '';
         description = ''
-          Group of the file.
+          Group of the decrypted secret.
         '';
       };
+      symlink = mkEnableOption "symlinking secrets to their destination" // {default = true;};
     };
   });
 in {
+  imports = [
+    (mkRenamedOptionModule ["age" "sshKeyPaths"] ["age" "identityPaths"])
+  ];
+
   options.age = {
+    ageBin = mkOption {
+      type = types.str;
+      default = "${pkgs.age}/bin/age";
+      defaultText = literalExpression ''
+        "''${pkgs.age}/bin/age"
+      '';
+      description = ''
+        The age executable to use.
+      '';
+    };
     secrets = mkOption {
       type = types.attrsOf secretType;
       default = {};
@@ -80,28 +205,116 @@ in {
         Attrset of secrets.
       '';
     };
-    sshKeyPaths = mkOption {
+    secretsDir = mkOption {
+      type = types.path;
+      default = "/run/agenix";
+      description = ''
+        Folder where secrets are symlinked to
+      '';
+    };
+    secretsMountPoint = mkOption {
+      type =
+        types.addCheck types.str
+        (s:
+          (builtins.match "[ \t\n]*" s)
+          == null # non-empty
+          && (builtins.match ".+/" s) == null) # without trailing slash
+        // {description = "${types.str.description} (with check: non-empty without trailing slash)";};
+      default = "/run/agenix.d";
+      description = ''
+        Where secrets are created before they are symlinked to {option}`age.secretsDir`
+      '';
+    };
+    identityPaths = mkOption {
       type = types.listOf types.path;
-      default = if config.services.openssh.enable then
-                  map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
-                else [];
+      default =
+        if (config.services.openssh.enable or false)
+        then map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
+        else if isDarwin
+        then [
+          "/etc/ssh/ssh_host_ed25519_key"
+          "/etc/ssh/ssh_host_rsa_key"
+        ]
+        else [];
+      defaultText = literalExpression ''
+        if (config.services.openssh.enable or false)
+        then map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
+        else if isDarwin
+        then [
+          "/etc/ssh/ssh_host_ed25519_key"
+          "/etc/ssh/ssh_host_rsa_key"
+        ]
+        else [];
+      '';
       description = ''
         Path to SSH keys to be used as identities in age decryption.
       '';
     };
   };
-  config = mkIf (cfg.secrets != {}) {
-    assertions = [{
-      assertion = cfg.sshKeyPaths != [];
-      message = "age.sshKeyPaths must be set.";
-    }];
 
-    # Secrets with root owner and group can be installed before users
-    # exist. This allows user password files to be encrypted.
-    system.activationScripts.agenixRoot = installRootOwnedSecrets;
-    system.activationScripts.users.deps = [ "agenixRoot" ];
+  config = mkIf (cfg.secrets != {}) (mkMerge [
+    {
+      assertions = [
+        {
+          assertion = cfg.identityPaths != [];
+          message = "age.identityPaths must be set.";
+        }
+      ];
+    }
 
-    # Other secrets need to wait for users and groups to exist.
-    system.activationScripts.agenix = stringAfter [ "users" "groups" ] installNonRootSecrets;
-  };
+    (optionalAttrs (!isDarwin) {
+      # Create a new directory full of secrets for symlinking (this helps
+      # ensure removed secrets are actually removed, or at least become
+      # invalid symlinks).
+      system.activationScripts.agenixNewGeneration = {
+        text = newGeneration;
+        deps = [
+          "specialfs"
+        ];
+      };
+
+      system.activationScripts.agenixInstall = {
+        text = installSecrets;
+        deps = [
+          "agenixNewGeneration"
+          "specialfs"
+        ];
+      };
+
+      # So user passwords can be encrypted.
+      system.activationScripts.users.deps = ["agenixInstall"];
+
+      # Change ownership and group after users and groups are made.
+      system.activationScripts.agenixChown = {
+        text = chownSecrets;
+        deps = [
+          "users"
+          "groups"
+        ];
+      };
+
+      # So other activation scripts can depend on agenix being done.
+      system.activationScripts.agenix = {
+        text = "";
+        deps = ["agenixChown"];
+      };
+    })
+    (optionalAttrs isDarwin {
+      launchd.daemons.activate-agenix = {
+        script = ''
+          set -e
+          set -o pipefail
+          export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin"
+          ${newGeneration}
+          ${installSecrets}
+          ${chownSecrets}
+          exit 0
+        '';
+        serviceConfig = {
+          RunAtLoad = true;
+          KeepAlive.SuccessfulExit = false;
+        };
+      };
+    })
+  ]);
 }

overlay.nix

@@ -0,0 +1,3 @@
+final: prev: {
+  agenix = prev.callPackage ./pkgs/agenix.nix {};
+}

pkgs/agenix.nix

@@ -1,155 +1,62 @@
-{writeShellScriptBin, runtimeShell, pkgs} :
-let
-  rage = pkgs.callPackage ./rage.nix {};
-  ageBin = "${rage}/bin/rage";
+{
+  lib,
+  stdenv,
+  age,
+  jq,
+  nix,
+  mktemp,
+  diffutils,
+  substituteAll,
+  ageBin ? "${age}/bin/age",
+  shellcheck,
+}: let
+  bin = "${placeholder "out"}/bin/agenix";
 in
-writeShellScriptBin "agenix" ''
-set -Eeuo pipefail
+  stdenv.mkDerivation rec {
+    pname = "agenix";
+    version = "0.15.0";
+    src = substituteAll {
+      inherit ageBin version;
+      jqBin = "${jq}/bin/jq";
+      nixInstantiate = "${nix}/bin/nix-instantiate";
+      mktempBin = "${mktemp}/bin/mktemp";
+      diffBin = "${diffutils}/bin/diff";
+      src = ./agenix.sh;
+    };
+    dontUnpack = true;
+    doInstallCheck = true;
+    installCheckInputs = [shellcheck];
+    postInstallCheck = ''
+      shellcheck ${bin}
+      ${bin} -h | grep ${version}
 
-PACKAGE="agenix"
+      HOME=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir')
+      function cleanup {
+        rm -rf $HOME
+      }
+      trap "cleanup" 0 2 3 15
 
-function show_help () {
-  echo "$PACKAGE - edit and rekey age secret files"
-  echo " "
-  echo "$PACKAGE -e FILE [-i PRIVATE_KEY]"
-  echo "$PACKAGE -r [-i PRIVATE_KEY]"
-  echo ' '
-  echo 'options:'
-  echo '-h, --help                show help'
-  echo '-e, --edit FILE           edits FILE using $EDITOR'
-  echo '-r, --rekey               re-encrypts all secrets with specified recipients'
-  echo '-i, --identity            identity to use when decrypting'
-  echo ' '
-  echo 'FILE an age-encrypted file'
-  echo ' '
-  echo 'PRIVATE_KEY a path to a private SSH key used to decrypt file'
-  echo ' '
-  echo 'EDITOR environment variable of editor to use when editing FILE'
-  echo ' '
-  echo 'RULES environment variable with path to Nix file specifying recipient public keys.'
-  echo "Defaults to './secrets.nix'"
-  echo ' '
-  echo "age binary path: ${ageBin}"
-  echo "age version: $(${ageBin} --version)"
-}
+      mkdir -p $HOME/.ssh
+      cp -r "${../example}" $HOME/secrets
+      chmod -R u+rw $HOME/secrets
+      (
+      umask u=rw,g=r,o=r
+      cp ${../example_keys/user1.pub} $HOME/.ssh/id_ed25519.pub
+      chown $UID $HOME/.ssh/id_ed25519.pub
+      )
+      (
+      umask u=rw,g=,o=
+      cp ${../example_keys/user1} $HOME/.ssh/id_ed25519
+      chown $UID $HOME/.ssh/id_ed25519
+      )
 
-test $# -eq 0 && (show_help && exit 1)
+      cd $HOME/secrets
+      test $(${bin} -d secret1.age) = "hello"
+    '';
 
-REKEY=0
-DEFAULT_DECRYPT=(--decrypt)
+    installPhase = ''
+      install -D $src ${bin}
+    '';
 
-while test $# -gt 0; do
-  case "$1" in
-    -h|--help)
-      show_help
-      exit 0
-      ;;
-    -e|--edit)
-      shift
-      if test $# -gt 0; then
-        export FILE=$1
-      else
-        echo "no FILE specified"
-        exit 1
-      fi
-      shift
-      ;;
-    -i|--identity)
-      shift
-      if test $# -gt 0; then
-        DEFAULT_DECRYPT+=(--identity "$1")
-      else
-        echo "no PRIVATE_KEY specified"
-        exit 1
-      fi
-      shift
-      ;;
-    -r|--rekey)
-      shift
-      REKEY=1
-      ;;
-    *)
-      show_help
-      exit 1
-      ;;
-  esac
-done
-
-RULES=''${RULES:-./secrets.nix}
-
-function cleanup {
-    if [ ! -z ''${CLEARTEXT_DIR+x} ]
-    then
-        rm -rf "$CLEARTEXT_DIR"
-    fi
-    if [ ! -z ''${REENCRYPTED_DIR+x} ]
-    then
-        rm -rf "$REENCRYPTED_DIR"
-    fi
-}
-trap "cleanup" 0 2 3 15
-
-function edit {
-    FILE=$1
-    KEYS=$((nix-instantiate --eval -E "(let rules = import $RULES; in builtins.concatStringsSep \"\n\" rules.\"$FILE\".publicKeys)" | sed 's/"//g' | sed 's/\\n/\n/g') || exit 1)
-
-    if [ -z "$KEYS" ]
-    then
-        >&2 echo "There is no rule for $FILE in $RULES."
-        exit 1
-    fi
-
-    CLEARTEXT_DIR=$(mktemp -d)
-    CLEARTEXT_FILE="$CLEARTEXT_DIR/$(basename "$FILE")"
-
-    if [ -f "$FILE" ]
-    then
-        DECRYPT=("''${DEFAULT_DECRYPT[@]}")
-        while IFS= read -r key
-        do
-            DECRYPT+=(--identity "$key")
-        done <<<"$((find ~/.ssh -maxdepth 1 -type f -not -name "*pub" -not -name "config" -not -name "authorized_keys" -not -name "known_hosts") || exit 1)"
-        DECRYPT+=(-o "$CLEARTEXT_FILE" "$FILE")
-        ${ageBin} "''${DECRYPT[@]}" || exit 1
-        cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
-    fi
-
-    $EDITOR "$CLEARTEXT_FILE"
-
-    if [ ! -f "$CLEARTEXT_FILE" ]
-    then
-      echo "$FILE wasn't created."
-      return
-    fi
-    [ -f "$FILE" ] && [ "$EDITOR" != ":" ] && diff "$CLEARTEXT_FILE.before" "$CLEARTEXT_FILE" 1>/dev/null && echo "$FILE wasn't changed, skipping re-encryption." && return
-
-    ENCRYPT=()
-    while IFS= read -r key
-    do
-        ENCRYPT+=(--recipient "$key")
-    done <<< "$KEYS"
-
-    REENCRYPTED_DIR=$(mktemp -d)
-    REENCRYPTED_FILE="$REENCRYPTED_DIR/$(basename "$FILE")"
-
-    ENCRYPT+=(-o "$REENCRYPTED_FILE")
-
-    ${ageBin} "''${ENCRYPT[@]}" <"$CLEARTEXT_FILE" || exit 1
-
-    mv -f "$REENCRYPTED_FILE" "$1"
-}
-
-function rekey {
-    FILES=$((nix-instantiate --eval -E "(let rules = import $RULES; in builtins.concatStringsSep \"\n\" (builtins.attrNames rules))"  | sed 's/"//g' | sed 's/\\n/\n/g') || exit 1)
-
-    for FILE in $FILES
-    do
-        echo "rekeying $FILE..."
-        EDITOR=: edit "$FILE"
-        cleanup
-    done
-}
-
-[ $REKEY -eq 1 ] && rekey && exit 0
-edit "$FILE" && cleanup && exit 0
-''
+    meta.description = "age-encrypted secrets for NixOS";
+  }

pkgs/agenix.sh

@@ -0,0 +1,204 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+PACKAGE="agenix"
+
+function show_help () {
+  echo "$PACKAGE - edit and rekey age secret files"
+  echo " "
+  echo "$PACKAGE -e FILE [-i PRIVATE_KEY]"
+  echo "$PACKAGE -r [-i PRIVATE_KEY]"
+  echo ' '
+  echo 'options:'
+  echo '-h, --help                show help'
+  # shellcheck disable=SC2016
+  echo '-e, --edit FILE           edits FILE using $EDITOR'
+  echo '-r, --rekey               re-encrypts all secrets with specified recipients'
+  echo '-d, --decrypt FILE        decrypts FILE to STDOUT'
+  echo '-i, --identity            identity to use when decrypting'
+  echo '-v, --verbose             verbose output'
+  echo ' '
+  echo 'FILE an age-encrypted file'
+  echo ' '
+  echo 'PRIVATE_KEY a path to a private SSH key used to decrypt file'
+  echo ' '
+  echo 'EDITOR environment variable of editor to use when editing FILE'
+  echo ' '
+  echo 'If STDIN is not interactive, EDITOR will be set to "cp /dev/stdin"'
+  echo ' '
+  echo 'RULES environment variable with path to Nix file specifying recipient public keys.'
+  echo "Defaults to './secrets.nix'"
+  echo ' '
+  echo "agenix version: @version@"
+  echo "age binary path: @ageBin@"
+  echo "age version: $(@ageBin@ --version)"
+}
+
+function warn() {
+  printf '%s\n' "$*" >&2
+}
+
+function err() {
+  warn "$*"
+  exit 1
+}
+
+test $# -eq 0 && (show_help && exit 1)
+
+REKEY=0
+DECRYPT_ONLY=0
+DEFAULT_DECRYPT=(--decrypt)
+
+while test $# -gt 0; do
+  case "$1" in
+    -h|--help)
+      show_help
+      exit 0
+      ;;
+    -e|--edit)
+      shift
+      if test $# -gt 0; then
+        export FILE=$1
+      else
+        echo "no FILE specified"
+        exit 1
+      fi
+      shift
+      ;;
+    -i|--identity)
+      shift
+      if test $# -gt 0; then
+        DEFAULT_DECRYPT+=(--identity "$1")
+      else
+        echo "no PRIVATE_KEY specified"
+        exit 1
+      fi
+      shift
+      ;;
+    -r|--rekey)
+      shift
+      REKEY=1
+      ;;
+    -d|--decrypt)
+      shift
+      DECRYPT_ONLY=1
+      if test $# -gt 0; then
+        export FILE=$1
+      else
+        echo "no FILE specified"
+        exit 1
+      fi
+      shift
+      ;;
+    -v|--verbose)
+      shift
+      set -x
+      ;;
+    *)
+      show_help
+      exit 1
+      ;;
+  esac
+done
+
+RULES=${RULES:-./secrets.nix}
+function cleanup {
+    if [ -n "${CLEARTEXT_DIR+x}" ]
+    then
+        rm -rf "$CLEARTEXT_DIR"
+    fi
+    if [ -n "${REENCRYPTED_DIR+x}" ]
+    then
+        rm -rf "$REENCRYPTED_DIR"
+    fi
+}
+trap "cleanup" 0 2 3 15
+
+function keys {
+    (@nixInstantiate@ --json --eval --strict -E "(let rules = import $RULES; in rules.\"$1\".publicKeys)" | @jqBin@ -r .[]) || exit 1
+}
+
+function decrypt {
+    FILE=$1
+    KEYS=$2
+    if [ -z "$KEYS" ]
+    then
+        err "There is no rule for $FILE in $RULES."
+    fi
+
+    if [ -f "$FILE" ]
+    then
+        DECRYPT=("${DEFAULT_DECRYPT[@]}")
+        if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
+            if [ -f "$HOME/.ssh/id_rsa" ]; then
+                DECRYPT+=(--identity "$HOME/.ssh/id_rsa")
+            fi
+            if [ -f "$HOME/.ssh/id_ed25519" ]; then
+                DECRYPT+=(--identity "$HOME/.ssh/id_ed25519")
+            fi
+        fi
+        if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
+          err "No identity found to decrypt $FILE. Try adding an SSH key at $HOME/.ssh/id_rsa or $HOME/.ssh/id_ed25519 or using the --identity flag to specify a file."
+        fi
+
+        @ageBin@ "${DECRYPT[@]}" "$FILE" || exit 1
+    fi
+}
+
+function edit {
+    FILE=$1
+    KEYS=$(keys "$FILE") || exit 1
+
+    CLEARTEXT_DIR=$(@mktempBin@ -d)
+    CLEARTEXT_FILE="$CLEARTEXT_DIR/$(basename "$FILE")"
+    DEFAULT_DECRYPT+=(-o "$CLEARTEXT_FILE")
+
+    decrypt "$FILE" "$KEYS" || exit 1
+
+    [ ! -f "$CLEARTEXT_FILE" ] || cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
+
+    [ -t 0 ] || EDITOR='cp /dev/stdin'
+
+    $EDITOR "$CLEARTEXT_FILE"
+
+    if [ ! -f "$CLEARTEXT_FILE" ]
+    then
+      warn "$FILE wasn't created."
+      return
+    fi
+    [ -f "$FILE" ] && [ "$EDITOR" != ":" ] && @diffBin@ -q "$CLEARTEXT_FILE.before" "$CLEARTEXT_FILE" && warn "$FILE wasn't changed, skipping re-encryption." && return
+
+    ENCRYPT=()
+    while IFS= read -r key
+    do
+        if [ -n "$key" ]; then
+            ENCRYPT+=(--recipient "$key")
+        fi
+    done <<< "$KEYS"
+
+    REENCRYPTED_DIR=$(@mktempBin@ -d)
+    REENCRYPTED_FILE="$REENCRYPTED_DIR/$(basename "$FILE")"
+
+    ENCRYPT+=(-o "$REENCRYPTED_FILE")
+
+    @ageBin@ "${ENCRYPT[@]}" <"$CLEARTEXT_FILE" || exit 1
+
+    mkdir -p "$(dirname "$FILE")"
+
+    mv -f "$REENCRYPTED_FILE" "$FILE"
+}
+
+function rekey {
+    FILES=$( (@nixInstantiate@ --json --eval -E "(let rules = import $RULES; in builtins.attrNames rules)"  | @jqBin@ -r .[]) || exit 1)
+
+    for FILE in $FILES
+    do
+        warn "rekeying $FILE..."
+        EDITOR=: edit "$FILE"
+        cleanup
+    done
+}
+
+[ $REKEY -eq 1 ] && rekey && exit 0
+[ $DECRYPT_ONLY -eq 1 ] && DEFAULT_DECRYPT+=("-o" "-") && decrypt "${FILE}" "$(keys "$FILE")" && exit 0
+edit "$FILE" && cleanup && exit 0

pkgs/doc.nix

@@ -0,0 +1,11 @@
+{
+  stdenvNoCC,
+  mmdoc,
+  self,
+}:
+stdenvNoCC.mkDerivation rec {
+  name = "agenix-doc";
+  src = ../doc;
+  phases = ["mmdocPhase"];
+  mmdocPhase = "${mmdoc}/bin/mmdoc agenix $src $out";
+}

pkgs/rage.nix

@@ -1,37 +0,0 @@
-{stdenv, rustPlatform, fetchFromGitHub, installShellFiles, darwin }:
-
-rustPlatform.buildRustPackage rec {
-  pname = "rage";
-  version = "unstable-2020-09-05";
-
-  src = fetchFromGitHub {
-    owner = "str4d";
-    repo = pname;
-    rev = "8368992e60cbedb2d6b725c3e25440e65d8544d1";
-    sha256 = "sha256-ICcApZQrR4hGxo/RcFMktenE4dswAXA2/nJ5D++O2ig=";
-  };
-
-  cargoSha256 = "sha256-QwNtp7Hxsiads3bh8NRra25RdPbIdjp+pSWTllAvdmQ=";
-
-  nativeBuildInputs = [ installShellFiles ];
-
-  buildInputs = stdenv.lib.optionals stdenv.isDarwin [ darwin.Security ];
-
-  postBuild = ''
-    cargo run --example generate-docs
-    cargo run --example generate-completions
-  '';
-
-  postInstall = ''
-    installManPage target/manpages/*
-    installShellCompletion target/completions/*.{bash,fish,zsh}
-  '';
-
-  meta = with stdenv.lib; {
-    description = "A simple, secure and modern encryption tool with small explicit keys, no config options, and UNIX-style composability";
-    homepage = "https://github.com/str4d/rage";
-    changelog = "https://github.com/str4d/rage/releases/tag/v${version}";
-    license = licenses.asl20;
-    maintainers = [ maintainers.marsam ];
-  };
-}

test/install_ssh_host_keys.nix

@@ -0,0 +1,28 @@
+# Do not copy this! It is insecure. This is only okay because we are testing.
+{config, ...}: {
+  system.activationScripts.agenixInstall.deps = ["installSSHHostKeys"];
+
+  system.activationScripts.installSSHHostKeys.text = ''
+    USER1_UID="${toString config.users.users.user1.uid}"
+    USERS_GID="${toString config.users.groups.users.gid}"
+
+    mkdir -p /etc/ssh /home/user1/.ssh
+    chown $USER1_UID:$USERS_GID /home/user1/.ssh
+    (
+      umask u=rw,g=r,o=r
+      cp ${../example_keys/system1.pub} /etc/ssh/ssh_host_ed25519_key.pub
+      cp ${../example_keys/user1.pub} /home/user1/.ssh/id_ed25519.pub
+      chown $USER1_UID:$USERS_GID /home/user1/.ssh/id_ed25519.pub
+    )
+    (
+      umask u=rw,g=,o=
+      cp ${../example_keys/system1} /etc/ssh/ssh_host_ed25519_key
+      cp ${../example_keys/user1} /home/user1/.ssh/id_ed25519
+      chown $USER1_UID:$USERS_GID /home/user1/.ssh/id_ed25519
+      touch /etc/ssh/ssh_host_rsa_key
+    )
+    cp -r "${../example}" /tmp/secrets
+    chmod -R u+rw /tmp/secrets
+    chown -R $USER1_UID:$USERS_GID /tmp/secrets
+  '';
+}

test/install_ssh_host_keys_darwin.nix

@@ -0,0 +1,17 @@
+# Do not copy this! It is insecure. This is only okay because we are testing.
+{
+  system.activationScripts.extraUserActivation.text = ''
+    echo "Installing system SSH host key"
+    sudo cp ${../example_keys/system1.pub} /etc/ssh/ssh_host_ed25519_key.pub
+    sudo cp ${../example_keys/system1} /etc/ssh/ssh_host_ed25519_key
+    sudo chmod 644 /etc/ssh/ssh_host_ed25519_key.pub
+    sudo chmod 600 /etc/ssh/ssh_host_ed25519_key
+
+    echo "Installing user SSH host key"
+    mkdir -p $HOME/.ssh
+    cp ${../example_keys/user1.pub} $HOME/.ssh/id_ed25519.pub
+    cp ${../example_keys/user1} $HOME/.ssh/id_ed25519
+    chmod 644 $HOME/.ssh/id_ed25519.pub
+    chmod 600 $HOME/.ssh/id_ed25519
+  '';
+}

test/integration.nix

@@ -0,0 +1,126 @@
+{
+  nixpkgs ? <nixpkgs>,
+  pkgs ?
+    import <nixpkgs> {
+      inherit system;
+      config = {};
+    },
+  system ? builtins.currentSystem,
+  home-manager ? <home-manager>,
+}:
+pkgs.nixosTest {
+  name = "agenix-integration";
+  nodes.system1 = {
+    config,
+    pkgs,
+    options,
+    ...
+  }: {
+    imports = [
+      ../modules/age.nix
+      ./install_ssh_host_keys.nix
+      "${home-manager}/nixos"
+    ];
+
+    services.openssh.enable = true;
+
+    age.secrets.passwordfile-user1 = {
+      file = ../example/passwordfile-user1.age;
+    };
+
+    age.identityPaths = options.age.identityPaths.default ++ ["/etc/ssh/this_key_wont_exist"];
+
+    environment.systemPackages = [
+      (pkgs.callPackage ../pkgs/agenix.nix {})
+    ];
+
+    users = {
+      mutableUsers = false;
+
+      users = {
+        user1 = {
+          isNormalUser = true;
+          passwordFile = config.age.secrets.passwordfile-user1.path;
+          uid = 1000;
+        };
+      };
+    };
+
+    home-manager.users.user1 = {options, ...}: {
+      imports = [
+        ../modules/age-home.nix
+      ];
+
+      home.stateVersion = pkgs.lib.trivial.release;
+
+      age = {
+        identityPaths = options.age.identityPaths.default ++ ["/home/user1/.ssh/this_key_wont_exist"];
+        secrets.secret2 = {
+          # Only decryptable by user1's key
+          file = ../example/secret2.age;
+        };
+        secrets.secret2Path = {
+          file = ../example/secret2.age;
+          path = "/home/user1/secret2";
+        };
+      };
+    };
+  };
+
+  testScript = let
+    user = "user1";
+    password = "password1234";
+    secret2 = "world!";
+  in ''
+    system1.wait_for_unit("multi-user.target")
+    system1.wait_until_succeeds("pgrep -f 'agetty.*tty1'")
+    system1.sleep(2)
+    system1.send_key("alt-f2")
+    system1.wait_until_succeeds("[ $(fgconsole) = 2 ]")
+    system1.wait_for_unit("getty@tty2.service")
+    system1.wait_until_succeeds("pgrep -f 'agetty.*tty2'")
+    system1.wait_until_tty_matches("2", "login: ")
+    system1.send_chars("${user}\n")
+    system1.wait_until_tty_matches("2", "login: ${user}")
+    system1.wait_until_succeeds("pgrep login")
+    system1.sleep(2)
+    system1.send_chars("${password}\n")
+    system1.send_chars("whoami > /tmp/1\n")
+    system1.wait_for_file("/tmp/1")
+    assert "${user}" in system1.succeed("cat /tmp/1")
+    system1.send_chars("cat /run/user/$(id -u)/agenix/secret2 > /tmp/2\n")
+    system1.wait_for_file("/tmp/2")
+    assert "${secret2}" in system1.succeed("cat /tmp/2")
+
+    userDo = lambda input : f"sudo -u user1 -- bash -c 'set -eou pipefail; cd /tmp/secrets; {input}'"
+
+    before_hash = system1.succeed(userDo('sha256sum passwordfile-user1.age')).split()
+    print(system1.succeed(userDo('agenix -r -i /home/user1/.ssh/id_ed25519')))
+    after_hash = system1.succeed(userDo('sha256sum passwordfile-user1.age')).split()
+
+    # Ensure we actually have hashes
+    for h in [before_hash, after_hash]:
+        assert len(h) == 2, "hash should be [hash, filename]"
+        assert h[1] == "passwordfile-user1.age", "filename is incorrect"
+        assert len(h[0].strip()) == 64, "hash length is incorrect"
+    assert before_hash[0] != after_hash[0], "hash did not change with rekeying"
+
+    # user1 can edit passwordfile-user1.age
+    system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age"))
+
+    # user1 can edit even if bogus id_rsa present
+    system1.succeed(userDo("echo bogus > ~/.ssh/id_rsa"))
+    system1.fail(userDo("EDITOR=cat agenix -e passwordfile-user1.age"))
+    system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age -i /home/user1/.ssh/id_ed25519"))
+    system1.succeed(userDo("rm ~/.ssh/id_rsa"))
+
+    # user1 can edit a secret by piping in contents
+    system1.succeed(userDo("echo 'secret1234' | agenix -e passwordfile-user1.age"))
+
+    # and get it back out via --decrypt
+    assert "secret1234" in system1.succeed(userDo("agenix -d passwordfile-user1.age"))
+
+    # finally, the plain text should not linger around anywhere in the filesystem.
+    system1.fail("grep -r secret1234 /tmp")
+  '';
+}

test/integration_darwin.nix

@@ -0,0 +1,28 @@
+{
+  config,
+  pkgs,
+  options,
+  ...
+}: let
+  secret = "hello";
+  testScript = pkgs.writeShellApplication {
+    name = "agenix-integration";
+    text = ''
+      grep "${secret}" "${config.age.secrets.system-secret.path}"
+    '';
+  };
+in {
+  imports = [
+    ./install_ssh_host_keys_darwin.nix
+    ../modules/age.nix
+  ];
+
+  services.nix-daemon.enable = true;
+
+  age = {
+    identityPaths = options.age.identityPaths.default ++ ["/etc/ssh/this_key_wont_exist"];
+    secrets.system-secret.file = ../example/secret1.age;
+  };
+
+  environment.systemPackages = [testScript];
+}

test/integration_hm_darwin.nix

@@ -0,0 +1,33 @@
+{
+  pkgs,
+  config,
+  options,
+  lib,
+  ...
+}: {
+  imports = [../modules/age-home.nix];
+
+  age = {
+    identityPaths = options.age.identityPaths.default ++ ["/Users/user1/.ssh/this_key_wont_exist"];
+    secrets.user-secret.file = ../example/secret2.age;
+  };
+
+  home = rec {
+    username = "runner";
+    homeDirectory = lib.mkForce "/Users/${username}";
+    stateVersion = lib.trivial.release;
+  };
+
+  home.file = let
+    name = "agenix-home-integration";
+  in {
+    ${name}.source = pkgs.writeShellApplication {
+      inherit name;
+      text = let
+        secret = "world!";
+      in ''
+        diff -q "${config.age.secrets.user-secret.path}" <(printf '${secret}\n')
+      '';
+    };
+  };
+}