{ pkgs, ... }:
{

  # nix run github:nmasur/dotfiles#reencrypt-secrets ./private

  type = "app";

  program = builtins.toString (
    pkgs.writeShellScript "reencrypt-secrets" ''
      if [ $# -eq 0 ]; then
        echo "Must provide directory to reencrypt."
        exit 1
      fi
      encrypted=$1
      for encryptedfile in ''${1}/*; do
        tmpfile=$(mktemp)
        echo "Decrypting ''${encryptedfile}..."
        ${pkgs.age}/bin/age --decrypt \
          --identity ~/.ssh/id_ed25519 $encryptedfile > $tmpfile
        echo "Encrypting ''${encryptedfile}..."
        ${pkgs.age}/bin/age --encrypt --armor --recipients-file ${builtins.toString ../misc/public-keys} $tmpfile > $encryptedfile
        rm $tmpfile
      done
      echo "Finished."
    ''
  );
}