Expand description
age whole-file preprocessor — decrypts *.age files at deploy
time.
Matches files ending in .age, runs age --decrypt --identity <id_path> <source>, and emits the plaintext as an
ExpandedFile with deploy_mode = Some(0o600) so the pipeline
chmods the rendered datastore file before the symlink lands at
the user’s home. No template expansion happens — this is a pure
decrypt-and-emit operation.
Reference flow (from secrets.lex §4.2):
1. Scan finds `ssh/id_ed25519.age`
2. AgePreprocessor strips `.age` → expanded filename `id_ed25519`
3. expand() shells out to age, captures plaintext
4. Pipeline writes the bytes to the datastore + chmods 0600
5. Symlink handler links it to `~/.ssh/id_ed25519`age reads its identity from the path passed via --identity.
When the config doesn’t set one explicitly, we fall back to
$AGE_IDENTITY env var, then to ~/.config/age/identity.txt
(the conventional default the age docs use). When none of those
exist, the preprocessor still attempts the call — age itself
emits a clear “no identity” error which we forward verbatim.
See secrets.lex §4.1–§4.3 (supported formats, deployment flow,
mode 0600 enforcement) and preprocessing-pipeline.lex §2.3
(Opaque transform semantics).
Structs§
- AgePreprocessor
agedecryption preprocessor. Constructed from[preprocessor.age]config + the sharedCommandRunner.