identityPaths doesn't act like list

[gergovari]

Setting age.identityPaths = [ "/etc/ssh/ssh_host_rsa_key" "/etc/nixos/keys/${config.networking.hostName}/id_rsa" ]; will give a warning that the first doesn't exist (at the moment, after boot it will) and I expected it to fallback to the second one. That doesn't happen and it fails to decrypt the secrets. Switching the order works but then if workaround path doesn't exist the same issue comes up.

[ryantm]

Needs str4d/rage#294 to be fixed.

[n8henrie]

@ryantm reviewing that issue, seems like this is more of a decision on the part of the rage team than something that wil be fixed.

Might there be a way to filter identities for paths that exist?

agenix/modules/age.nix

Line 57 in b7ffcfe

identities = builtins.concatStringsSep " " (map (path: "-i ${path}") cfg.identityPaths);

If so, it would be a nice improvement to the user experience (and perhaps ameliorate some issues with #45).

Happy to work on PR if you think this slight departure from rage behavior would be acceptable.

Perhaps could even have a user-facing flag that defaults to false: ignoreMissingIdentities?

[ryantm]

I think you're right. Let's work around it. I don't think we need an option!

[cole-h]

If you weren't already planning on it, I'd strongly suggest implementing the check as part of one of the scripts, rather than in Nix; paths may not be available at build / evaluation time, but may when the script runs.