use unstable verison of rage in place of age

* age limits the number of recipients to 20
* the latest release of rage (0.4.0) doesn't work with ssh-rsa keys

flake.nix

@@ -1,18 +1,13 @@
 {
   description = "Secret management with age";
-  outputs = { self, nixpkgs }: let
-    systems = [
-      "x86_64-linux"
-      "i686-linux"
-      "x86_64-darwin"
-      "aarch64-linux"
-      "armv6l-linux"
-      "armv7l-linux"
-    ];
-    forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system);
-  in {
-    nixosModules.age = import ./modules/age.nix;
-    packages = forAllSystems (system: nixpkgs.legacyPackages.${system}.callPackage ./default.nix {});
-    defaultPackage = forAllSystems (system: self.packages.${system}.agenix);
-  };
+
+  inputs.flake-utils.url = "github:numtide/flake-utils";
+
+  outputs = { self, nixpkgs, flake-utils }:
+    flake-utils.lib.eachDefaultSystem (system:
+      {
+        nixosModules.age = import ./modules/age.nix;
+        packages = nixpkgs.legacyPackages.${system}.callPackage ./default.nix {};
+        defaultPackage = self.packages.${system}.agenix;
+      });
 }

modules/age.nix

@@ -4,12 +4,15 @@ with lib;
 
 let
   cfg = config.age;
+  rage = pkgs.callPackage ../pkgs/rage.nix {};
+  ageBin = "${rage}/bin/rage";
+
   users = config.users.users;
 
   identities = builtins.concatStringsSep " " (map (path: "-i ${path}") cfg.sshKeyPaths);
   installSecret = secretType: ''
     TMP_FILE="${secretType.path}.tmp"
-    (umask 0400; ${pkgs.age}/bin/age --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}")
+    (umask 0400; ${ageBin} --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}")
     chmod ${secretType.mode} "$TMP_FILE"
     chown ${secretType.owner}:${secretType.group} "$TMP_FILE"
     mv -f "$TMP_FILE" '${secretType.path}'

pkgs/agenix.nix

@@ -1,4 +1,8 @@
-{writeShellScriptBin, runtimeShell, age} :
+{writeShellScriptBin, runtimeShell, pkgs} :
+let
+  rage = pkgs.callPackage ./rage.nix {};
+  ageBin = "${rage}/bin/rage";
+in
 writeShellScriptBin "agenix" ''
 set -Eeuo pipefail
 
@@ -103,7 +107,7 @@ function edit {
             DECRYPT+=(--identity "$key")
         done <<<"$((find ~/.ssh -maxdepth 1 -type f -not -name "*pub" -not -name "config" -not -name "authorized_keys" -not -name "known_hosts") || exit 1)"
         DECRYPT+=(-o "$CLEARTEXT_FILE" "$FILE")
-        ${age}/bin/age "''${DECRYPT[@]}" || exit 1
+        ${ageBin} "''${DECRYPT[@]}" || exit 1
         cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
     fi
 
@@ -127,7 +131,7 @@ function edit {
 
     ENCRYPT+=(-o "$REENCRYPTED_FILE")
 
-    ${age}/bin/age "''${ENCRYPT[@]}" <"$CLEARTEXT_FILE" || exit 1
+    ${ageBin} "''${ENCRYPT[@]}" <"$CLEARTEXT_FILE" || exit 1
 
     mv -f "$REENCRYPTED_FILE" "$1"
 }

pkgs/rage.nix

@@ -0,0 +1,37 @@
+{stdenv, rustPlatform, fetchFromGitHub, installShellFiles, darwin }:
+
+rustPlatform.buildRustPackage rec {
+  pname = "rage";
+  version = "unstable-2020-09-05";
+
+  src = fetchFromGitHub {
+    owner = "str4d";
+    repo = pname;
+    rev = "8368992e60cbedb2d6b725c3e25440e65d8544d1";
+    sha256 = "sha256-ICcApZQrR4hGxo/RcFMktenE4dswAXA2/nJ5D++O2ig=";
+  };
+
+  cargoSha256 = "sha256-QwNtp7Hxsiads3bh8NRra25RdPbIdjp+pSWTllAvdmQ=";
+
+  nativeBuildInputs = [ installShellFiles ];
+
+  buildInputs = stdenv.lib.optionals stdenv.isDarwin [ darwin.Security ];
+
+  postBuild = ''
+    cargo run --example generate-docs
+    cargo run --example generate-completions
+  '';
+
+  postInstall = ''
+    installManPage target/manpages/*
+    installShellCompletion target/completions/*.{bash,fish,zsh}
+  '';
+
+  meta = with stdenv.lib; {
+    description = "A simple, secure and modern encryption tool with small explicit keys, no config options, and UNIX-style composability";
+    homepage = "https://github.com/str4d/rage";
+    changelog = "https://github.com/str4d/rage/releases/tag/v${version}";
+    license = licenses.asl20;
+    maintainers = [ maintainers.marsam ];
+  };
+}