some tweaks for age/passage configuration

author: Franck Cuny <franck@fcuny.net> 2026-01-04 10:28:08 -0800
committer: Franck Cuny <franck@fcuny.net> 2026-01-04 10:28:08 -0800
commit: 4203ba061587a127f4a16388591c401117d232c6 (patch)
tree: f64e90c9b975c718397efa764a7935a4faead6c7
parent: move secrets to the hosts instead of profiles (diff)
download: infra-4203ba061587a127f4a16388591c401117d232c6.tar.gz
1 files changed, 35 insertions, 2 deletions
diff --git a/home/programs/age.nix b/home/programs/age.nix
index e41d0d8..2e472ad 100644
--- a/home/programs/age.nix
+++ b/home/programs/age.nix
@@ -1,13 +1,46 @@
 { pkgs, config, ... }:
+let
+  # identities are stored outside of the store
+  passage_identity_dir = "${config.xdg.configHome}/passage";
+  passage_identities_file = "${passage_identity_dir}/identities";
+  passage_dir = "${config.xdg.dataHome}/passage/store";
+  passage_recipients_file = "${passage_dir}/.age-recipients";
+  passage-yubikey-update = pkgs.writeShellApplication {
+    name = "passage-yubikey-update";
+    runtimeInputs = with pkgs; [
+      age-plugin-yubikey
+    ];
+    text = ''
+      if ! [[ -d "${passage_dir}" ]]; then
+        echo >&2 "Error: ${passage_dir} must be created manually."
+        exit 1
+      fi
+
+      identitiesFile="${passage_identities_file}"
+      recipientsFile="${passage_recipients_file}"
+
+      mkdir -p "$(dirname "$identitiesFile")"
+      mkdir -p "$(dirname "$recipientsFile")"
+
+      age-plugin-yubikey --identity >> "$identitiesFile"
+      echo >&2 "Updated $identitiesFile"
+
+      age-plugin-yubikey --list >> "$recipientsFile"
+      echo >&2 "Updated $recipientsFile"
+    '';
+  };
+in
 {
   home.packages = with pkgs; [
     age
     age-plugin-yubikey
     passage
+    passage-yubikey-update
   ];
 
   home.sessionVariables = {
-    "PASSAGE_DIR" = "${config.xdg.dataHome}/passage";
-    "PASSAGE_IDENTITIES_FILE" = "${config.xdg.dataHome}/passage/identities";
+    PASSAGE_DIR = "${passage_dir}";
+    PASSAGE_RECIPIENTS_FILE = "${passage_dir}/.age-recipients";
+    PASSAGE_IDENTITIES_FILE = "${passage_identities_file}";
   };
 }
author	Franck Cuny <franck@fcuny.net>	2026-01-04 10:28:08 -0800
committer	Franck Cuny <franck@fcuny.net>	2026-01-04 10:28:08 -0800
commit	4203ba061587a127f4a16388591c401117d232c6 (patch)
tree	f64e90c9b975c718397efa764a7935a4faead6c7
parent	move secrets to the hosts instead of profiles (diff)
download	infra-4203ba061587a127f4a16388591c401117d232c6.tar.gz