From e90c6b17246babf0da7a7925efe1087025008626 Mon Sep 17 00:00:00 2001
From: Noah Masur <7386960+nmasur@users.noreply.github.com>
Date: Sun, 9 Mar 2025 05:02:20 +0000
Subject: [PATCH] moving around reencrypt secrets

---
 apps/loadkey.nix                              |  9 -------
 apps/reencrypt-secrets.nix                    | 27 -------------------
 flake.nix                                     | 16 +++++------
 pkgs/tools/misc/reencrypt-secrets/package.nix | 21 +++++++++++++++
 4 files changed, 29 insertions(+), 44 deletions(-)
 delete mode 100644 apps/loadkey.nix
 delete mode 100644 apps/reencrypt-secrets.nix
 create mode 100644 pkgs/tools/misc/reencrypt-secrets/package.nix

diff --git a/apps/loadkey.nix b/apps/loadkey.nix
deleted file mode 100644
index b83376d..0000000
--- a/apps/loadkey.nix
+++ /dev/null
@@ -1,9 +0,0 @@
-{ pkgs, ... }:
-{
-
-  # TODO: just replace with packages instead of apps
-
-  type = "app";
-
-  program = "${pkgs.nmasur.loadkey}/bin/loadkey";
-}
diff --git a/apps/reencrypt-secrets.nix b/apps/reencrypt-secrets.nix
deleted file mode 100644
index 0094c8d..0000000
--- a/apps/reencrypt-secrets.nix
+++ /dev/null
@@ -1,27 +0,0 @@
-{ pkgs, ... }:
-{
-
-  # nix run github:nmasur/dotfiles#reencrypt-secrets ./private
-
-  type = "app";
-
-  program = builtins.toString (
-    pkgs.writeShellScript "reencrypt-secrets" ''
-      if [ $# -eq 0 ]; then
-        echo "Must provide directory to reencrypt."
-        exit 1
-      fi
-      encrypted=$1
-      for encryptedfile in ''${1}/*; do
-        tmpfile=$(mktemp)
-        echo "Decrypting ''${encryptedfile}..."
-        ${pkgs.age}/bin/age --decrypt \
-          --identity ~/.ssh/id_ed25519 $encryptedfile > $tmpfile
-        echo "Encrypting ''${encryptedfile}..."
-        ${pkgs.age}/bin/age --encrypt --armor --recipients-file ${builtins.toString ../misc/public-keys} $tmpfile > $encryptedfile
-        rm $tmpfile
-      done
-      echo "Finished."
-    ''
-  );
-}
diff --git a/flake.nix b/flake.nix
index aa91c69..72a96e9 100644
--- a/flake.nix
+++ b/flake.nix
@@ -447,14 +447,14 @@
 
       packages = mypackages;
 
-      # Programs that can be run by calling this flake
-      apps = forAllSystems (
-        system:
-        let
-          pkgs = import nixpkgs { inherit system overlays; };
-        in
-        import ./apps { inherit pkgs; }
-      );
+      # # Programs that can be run by calling this flake
+      # apps = forAllSystems (
+      #   system:
+      #   let
+      #     pkgs = import nixpkgs { inherit system overlays; };
+      #   in
+      #   import ./apps { inherit pkgs; }
+      # );
 
       # Development environments
       devShells = forAllSystems (
diff --git a/pkgs/tools/misc/reencrypt-secrets/package.nix b/pkgs/tools/misc/reencrypt-secrets/package.nix
new file mode 100644
index 0000000..f4f5587
--- /dev/null
+++ b/pkgs/tools/misc/reencrypt-secrets/package.nix
@@ -0,0 +1,21 @@
+{ pkgs, ... }:
+
+# nix run github:nmasur/dotfiles#reencrypt-secrets ./private
+
+pkgs.writeShellScriptBin "reencrypt-secrets" ''
+  if [ $# -eq 0 ]; then
+    echo "Must provide directory to reencrypt."
+    exit 1
+  fi
+  encrypted=$1
+  find "''${1}" -type f -name "*.age" | while IFS= read -r encryptedfile; do
+    tmpfile=$(mktemp)
+    echo "Decrypting ''${encryptedfile}..."
+    ${pkgs.age}/bin/age --decrypt \
+      --identity ~/.ssh/id_ed25519 $encryptedfile > $tmpfile
+    echo "Encrypting ''${encryptedfile}..."
+    ${pkgs.age}/bin/age --encrypt --armor --recipients-file ${builtins.toString ../../../../misc/public-keys} $tmpfile > $encryptedfile
+    rm $tmpfile
+  done
+  echo "Finished."
+''