From 4203ba061587a127f4a16388591c401117d232c6 Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Sun, 4 Jan 2026 10:28:08 -0800
Subject: some tweaks for age/passage configuration

---
 home/programs/age.nix | 37 +++++++++++++++++++++++++++++++++++--
 1 file changed, 35 insertions(+), 2 deletions(-)

diff --git a/home/programs/age.nix b/home/programs/age.nix
index e41d0d8..2e472ad 100644
--- a/home/programs/age.nix
+++ b/home/programs/age.nix
@@ -1,13 +1,46 @@
 { pkgs, config, ... }:
+let
+  # identities are stored outside of the store
+  passage_identity_dir = "${config.xdg.configHome}/passage";
+  passage_identities_file = "${passage_identity_dir}/identities";
+  passage_dir = "${config.xdg.dataHome}/passage/store";
+  passage_recipients_file = "${passage_dir}/.age-recipients";
+  passage-yubikey-update = pkgs.writeShellApplication {
+    name = "passage-yubikey-update";
+    runtimeInputs = with pkgs; [
+      age-plugin-yubikey
+    ];
+    text = ''
+      if ! [[ -d "${passage_dir}" ]]; then
+        echo >&2 "Error: ${passage_dir} must be created manually."
+        exit 1
+      fi
+
+      identitiesFile="${passage_identities_file}"
+      recipientsFile="${passage_recipients_file}"
+
+      mkdir -p "$(dirname "$identitiesFile")"
+      mkdir -p "$(dirname "$recipientsFile")"
+
+      age-plugin-yubikey --identity >> "$identitiesFile"
+      echo >&2 "Updated $identitiesFile"
+
+      age-plugin-yubikey --list >> "$recipientsFile"
+      echo >&2 "Updated $recipientsFile"
+    '';
+  };
+in
 {
   home.packages = with pkgs; [
     age
     age-plugin-yubikey
     passage
+    passage-yubikey-update
   ];
 
   home.sessionVariables = {
-    "PASSAGE_DIR" = "${config.xdg.dataHome}/passage";
-    "PASSAGE_IDENTITIES_FILE" = "${config.xdg.dataHome}/passage/identities";
+    PASSAGE_DIR = "${passage_dir}";
+    PASSAGE_RECIPIENTS_FILE = "${passage_dir}/.age-recipients";
+    PASSAGE_IDENTITIES_FILE = "${passage_identities_file}";
   };
 }
-- 
cgit v1.2.3