moving around reencrypt secrets

2025-03-14 21:37:04 +00:00 · 2025-03-09 05:02:20 +00:00 · 2025-03-09 05:02:20 +00:00 · e90c6b1724
commit e90c6b1724
parent 2722a8bf61
4 changed files with 29 additions and 44 deletions
--- a/apps/loadkey.nix
+++ b/apps/loadkey.nix
@ -1,9 +0,0 @@
 { pkgs, ... }:
 {
  # TODO: just replace with packages instead of apps
  type = "app";
  program = "${pkgs.nmasur.loadkey}/bin/loadkey";
 }
--- a/apps/reencrypt-secrets.nix
+++ b/apps/reencrypt-secrets.nix
@ -1,27 +0,0 @@
 { pkgs, ... }:
 {
  # nix run github:nmasur/dotfiles#reencrypt-secrets ./private
  type = "app";
  program = builtins.toString (
    pkgs.writeShellScript "reencrypt-secrets" ''
      if [ $# -eq 0 ]; then
        echo "Must provide directory to reencrypt."
        exit 1
      fi
      encrypted=$1
      for encryptedfile in ''${1}/*; do
        tmpfile=$(mktemp)
        echo "Decrypting ''${encryptedfile}..."
        ${pkgs.age}/bin/age --decrypt \
          --identity ~/.ssh/id_ed25519 $encryptedfile > $tmpfile
        echo "Encrypting ''${encryptedfile}..."
        ${pkgs.age}/bin/age --encrypt --armor --recipients-file ${builtins.toString ../misc/public-keys} $tmpfile > $encryptedfile
        rm $tmpfile
      done
      echo "Finished."
    ''
  );
 }
--- a/flake.nix
+++ b/flake.nix
@ -447,14 +447,14 @@
      packages = mypackages;
-      # Programs that can be run by calling this flake
+      # # Programs that can be run by calling this flake
-      apps = forAllSystems (
+      # apps = forAllSystems (
-        system:
+      #   system:
-        let
+      #   let
-          pkgs = import nixpkgs { inherit system overlays; };
+      #     pkgs = import nixpkgs { inherit system overlays; };
-        in
+      #   in
-        import ./apps { inherit pkgs; }
+      #   import ./apps { inherit pkgs; }
-      );
+      # );
      # Development environments
      devShells = forAllSystems (
--- a/pkgs/tools/misc/reencrypt-secrets/package.nix
+++ b/pkgs/tools/misc/reencrypt-secrets/package.nix
@ -0,0 +1,21 @@
 { pkgs, ... }:
 # nix run github:nmasur/dotfiles#reencrypt-secrets ./private
 pkgs.writeShellScriptBin "reencrypt-secrets" ''
  if [ $# -eq 0 ]; then
    echo "Must provide directory to reencrypt."
    exit 1
  fi
  encrypted=$1
  find "''${1}" -type f -name "*.age" | while IFS= read -r encryptedfile; do
    tmpfile=$(mktemp)
    echo "Decrypting ''${encryptedfile}..."
    ${pkgs.age}/bin/age --decrypt \
      --identity ~/.ssh/id_ed25519 $encryptedfile > $tmpfile
    echo "Encrypting ''${encryptedfile}..."
    ${pkgs.age}/bin/age --encrypt --armor --recipients-file ${builtins.toString ../../../../misc/public-keys} $tmpfile > $encryptedfile
    rm $tmpfile
  done
  echo "Finished."
 ''