From 1b06d9801b1379f139cf406f02b303ee105cd9d2 Mon Sep 17 00:00:00 2001
From: Nathan Henrie <nate@n8henrie.com>
Date: Wed, 22 Feb 2023 07:44:53 -0700
Subject: [PATCH 1/4] shellcheck --enable=all

---
 pkgs/agenix.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/agenix.nix b/pkgs/agenix.nix
index 648ccb9..fddf538 100644
--- a/pkgs/agenix.nix
+++ b/pkgs/agenix.nix
@@ -26,11 +26,11 @@ stdenv.mkDerivation rec {
   doCheck = true;
   checkInputs = [shellcheck];
   postCheck = ''
-    shellcheck $src
+    shellcheck --enable=all "''${src}"
   '';
 
   installPhase = ''
-    install -D $src ${placeholder "out"}/bin/agenix
+    install -D "''${src}" "${placeholder "out"}/bin/agenix"
   '';
 
   meta.description = "age-encrypted secrets for NixOS";

From e4f98874d77c469cdcd4241bb7c8987dd91816ff Mon Sep 17 00:00:00 2001
From: Nathan Henrie <nate@n8henrie.com>
Date: Wed, 22 Feb 2023 07:51:57 -0700
Subject: [PATCH 2/4] Apply shellcheck fixes

---
 pkgs/agenix.sh | 74 +++++++++++++++++++++++++-------------------------
 1 file changed, 37 insertions(+), 37 deletions(-)

diff --git a/pkgs/agenix.sh b/pkgs/agenix.sh
index c1e89c3..b37f49c 100644
--- a/pkgs/agenix.sh
+++ b/pkgs/agenix.sh
@@ -1,13 +1,13 @@
 #!/usr/bin/env bash
 set -Eeuo pipefail
 
-PACKAGE="agenix"
+PACKAGE=agenix
 
 function show_help () {
-  echo "$PACKAGE - edit and rekey age secret files"
+  echo "${PACKAGE} - edit and rekey age secret files"
   echo " "
-  echo "$PACKAGE -e FILE [-i PRIVATE_KEY]"
-  echo "$PACKAGE -r [-i PRIVATE_KEY]"
+  echo "${PACKAGE} -e FILE [-i PRIVATE_KEY]"
+  echo "${PACKAGE} -r [-i PRIVATE_KEY]"
   echo ' '
   echo 'options:'
   echo '-h, --help                show help'
@@ -91,85 +91,85 @@ done
 RULES=${RULES:-./secrets.nix}
 
 function cleanup {
-    if [ -n "${CLEARTEXT_DIR+x}" ]
+    if [[ -n "${CLEARTEXT_DIR+x}" ]]
     then
-        rm -rf "$CLEARTEXT_DIR"
+        rm -rf "${CLEARTEXT_DIR}"
     fi
-    if [ -n "${REENCRYPTED_DIR+x}" ]
+    if [[ -n "${REENCRYPTED_DIR+x}" ]]
     then
-        rm -rf "$REENCRYPTED_DIR"
+        rm -rf "${REENCRYPTED_DIR}"
     fi
 }
 trap "cleanup" 0 2 3 15
 
 function edit {
     FILE=$1
-    KEYS=$( (@nixInstantiate@ --eval -E "(let rules = import $RULES; in builtins.concatStringsSep \"\n\" rules.\"$FILE\".publicKeys)" | @sedBin@ 's/"//g' | @sedBin@ 's/\\n/\n/g') | @sedBin@ '/^$/d' || exit 1)
+    KEYS=$( (@nixInstantiate@ --eval -E "(let rules = import ${RULES}; in builtins.concatStringsSep \"\n\" rules.\"${FILE}\".publicKeys)" | @sedBin@ 's/"//g' | @sedBin@ 's/\\n/\n/g') | @sedBin@ '/^$/d' || exit 1)
 
-    if [ -z "$KEYS" ]
+    if [[ -z "${KEYS}" ]]
     then
-        err "There is no rule for $FILE in $RULES."
+        err "There is no rule for ${FILE} in ${RULES}."
     fi
 
     CLEARTEXT_DIR=$(@mktempBin@ -d)
-    CLEARTEXT_FILE="$CLEARTEXT_DIR/$(basename "$FILE")"
+    CLEARTEXT_FILE=${CLEARTEXT_DIR}/$(basename "${FILE}")
 
-    if [ -f "$FILE" ]
+    if [[ -f "${FILE}" ]]
     then
         DECRYPT=("${DEFAULT_DECRYPT[@]}")
         if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
-            if [ -f "$HOME/.ssh/id_rsa" ]; then
-                DECRYPT+=(--identity "$HOME/.ssh/id_rsa")
+            if [[ -f "${HOME}/.ssh/id_rsa" ]]; then
+                DECRYPT+=(--identity "${HOME}/.ssh/id_rsa")
             fi
-            if [ -f "$HOME/.ssh/id_ed25519" ]; then
-                DECRYPT+=(--identity "$HOME/.ssh/id_ed25519")
+            if [[ -f "${HOME}/.ssh/id_ed25519" ]]; then
+                DECRYPT+=(--identity "${HOME}/.ssh/id_ed25519")
             fi
         fi
         if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
-          err "No identity found to decrypt $FILE. Try adding an SSH key at $HOME/.ssh/id_rsa or $HOME/.ssh/id_ed25519 or using the --identity flag to specify a file."
+          err "No identity found to decrypt ${FILE}. Try adding an SSH key at ${HOME}/.ssh/id_rsa or ${HOME}/.ssh/id_ed25519 or using the --identity flag to specify a file."
         fi
-        DECRYPT+=(-o "$CLEARTEXT_FILE" "$FILE")
+        DECRYPT+=(-o "${CLEARTEXT_FILE}" "${FILE}")
         @ageBin@ "${DECRYPT[@]}" || exit 1
-        cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
+        cp "${CLEARTEXT_FILE}" "${CLEARTEXT_FILE}.before"
     fi
 
-    [ -t 0 ] || EDITOR='cp /dev/stdin'
+    [[ -t 0 ]] || EDITOR='cp /dev/stdin'
 
-    $EDITOR "$CLEARTEXT_FILE"
+    "${EDITOR}" "${CLEARTEXT_FILE}"
 
-    if [ ! -f "$CLEARTEXT_FILE" ]
+    if [[ ! -f "${CLEARTEXT_FILE}" ]]
     then
-      warn "$FILE wasn't created."
+      warn "${FILE} wasn't created."
       return
     fi
-    [ -f "$FILE" ] && [ "$EDITOR" != ":" ] && @diffBin@ -q "$CLEARTEXT_FILE.before" "$CLEARTEXT_FILE" && warn "$FILE wasn't changed, skipping re-encryption." && return
+    [[ -f "${FILE}" ]] && [[ "${EDITOR}" != ":" ]] && @diffBin@ -q "${CLEARTEXT_FILE}.before" "${CLEARTEXT_FILE}" && warn "${FILE} wasn't changed, skipping re-encryption." && return
 
     ENCRYPT=()
     while IFS= read -r key
     do
-        ENCRYPT+=(--recipient "$key")
-    done <<< "$KEYS"
+        ENCRYPT+=(--recipient "${key}")
+    done <<< "${KEYS}"
 
     REENCRYPTED_DIR=$(@mktempBin@ -d)
-    REENCRYPTED_FILE="$REENCRYPTED_DIR/$(basename "$FILE")"
+    REENCRYPTED_FILE=${REENCRYPTED_DIR}/$(basename "${FILE}")
 
-    ENCRYPT+=(-o "$REENCRYPTED_FILE")
+    ENCRYPT+=(-o "${REENCRYPTED_FILE}")
 
-    @ageBin@ "${ENCRYPT[@]}" <"$CLEARTEXT_FILE" || exit 1
+    @ageBin@ "${ENCRYPT[@]}" <"${CLEARTEXT_FILE}" || exit 1
 
-    mv -f "$REENCRYPTED_FILE" "$1"
+    mv -f "${REENCRYPTED_FILE}" "$1"
 }
 
 function rekey {
-    FILES=$( (@nixInstantiate@ --eval -E "(let rules = import $RULES; in builtins.concatStringsSep \"\n\" (builtins.attrNames rules))"  | @sedBin@ 's/"//g' | @sedBin@ 's/\\n/\n/g') || exit 1)
+    FILES=$( (@nixInstantiate@ --eval -E "(let rules = import ${RULES}; in builtins.concatStringsSep \"\n\" (builtins.attrNames rules))"  | @sedBin@ 's/"//g' | @sedBin@ 's/\\n/\n/g') || exit 1)
 
-    for FILE in $FILES
+    for FILE in ${FILES}
     do
-        warn "rekeying $FILE..."
-        EDITOR=: edit "$FILE"
+        warn "rekeying ${FILE}..."
+        EDITOR=: edit "${FILE}"
         cleanup
     done
 }
 
-[ $REKEY -eq 1 ] && rekey && exit 0
-edit "$FILE" && cleanup && exit 0
+[[ ${REKEY} -eq 1 ]] && rekey && exit 0
+edit "${FILE}" && cleanup && exit 0

From fd951d0451f9b425489bacb5abc7cccc5f94b95c Mon Sep 17 00:00:00 2001
From: Nathan Henrie <nate@n8henrie.com>
Date: Wed, 22 Feb 2023 08:01:36 -0700
Subject: [PATCH 3/4] Force ignore user rc files

---
 pkgs/agenix.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/agenix.nix b/pkgs/agenix.nix
index fddf538..ed83281 100644
--- a/pkgs/agenix.nix
+++ b/pkgs/agenix.nix
@@ -26,7 +26,7 @@ stdenv.mkDerivation rec {
   doCheck = true;
   checkInputs = [shellcheck];
   postCheck = ''
-    shellcheck --enable=all "''${src}"
+    shellcheck --norc --enable=all "''${src}"
   '';
 
   installPhase = ''

From 7d2200d00d4b8d4dce4361d8fc71db43972cabf5 Mon Sep 17 00:00:00 2001
From: Nathan Henrie <nate@n8henrie.com>
Date: Wed, 22 Feb 2023 08:10:53 -0700
Subject: [PATCH 4/4] Fix shellcheck warning about commands in subshells

---
 pkgs/agenix.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/agenix.sh b/pkgs/agenix.sh
index b37f49c..6b643f6 100644
--- a/pkgs/agenix.sh
+++ b/pkgs/agenix.sh
@@ -30,7 +30,7 @@ function show_help () {
   echo ' '
   echo "agenix version: @version@"
   echo "age binary path: @ageBin@"
-  echo "age version: $(@ageBin@ --version)"
+  echo "age version: $(@ageBin@ --version || true)"
 }
 
 function warn() {