secrets: add mreow + yarn TPM recipients, re-encrypt desktop secrets

modules/desktop-age-secrets.nix

@@ -4,9 +4,9 @@
   ...
 }:
 let
-  # rage cannot invoke age-plugin-tpm unless the plugin binary is on PATH at
-  # activation time. Wrap rage so the activation scripts (and anything else
-  # that picks up `age.ageBin`) get age-plugin-tpm for free.
+  # Wrap rage so age-plugin-tpm is on PATH at activation time.
+  # Both mreow and yarn use age1tpm1… recipients (legacy P-256 encoding),
+  # which age-plugin-tpm handles under its own name.
   rageWithTpm = pkgs.writeShellScriptBin "rage" ''
     export PATH="${pkgs.age-plugin-tpm}/bin:$PATH"
     exec ${pkgs.rage}/bin/rage "$@"

scripts/bootstrap-desktop-tpm.sh

@@ -2,23 +2,16 @@
 # Bootstrap the age-plugin-tpm identity for a desktop host (mreow / yarn).
 #
 # Produces a TPM-sealed age identity at /var/lib/agenix/tpm-identity and
-# prints the legacy `age1tpm1…` recipient. The identity file is a TPM
-# handle, not key material — the actual key never leaves the TPM.
-#
-# --tpm-recipient is required: nixpkgs only ships `age-plugin-tpm`, not the
-# `age-plugin-tag` binary that rage looks up when it sees the new p256tag
-# `age1tag1…` format. Until a packaged age-plugin-tag lands, every recipient
-# stays in the legacy form so encryption works with off-the-shelf nixpkgs.
+# prints the recipient string to add to secrets/secrets.nix.
 #
 # Usage:
 #   doas scripts/bootstrap-desktop-tpm.sh
 #
 # After running:
-#   1. Append the printed recipient to `tpm` in secrets/secrets.nix:
-#        "age1tpm1… <hostname>"
-#   2. `agenix -r` (from a shell with age-plugin-tpm on PATH) to re-encrypt
-#      every desktop secret with the new recipient list.
-#   3. Commit + `./deploy.sh switch`.
+#   1. Append the printed recipient to the `tpm` list in secrets/secrets.nix.
+#   2. Re-encrypt: nix-shell -p age-plugin-tpm rage --run \
+#        'agenix -r -i ~/.ssh/id_ed25519'
+#   3. Commit + ./deploy.sh switch.
 
 set -euo pipefail
 
@@ -36,23 +29,16 @@ if [[ -f "$id_file" ]]; then
   echo "existing identity found at $id_file — preserving"
 else
   echo "generating TPM-sealed age identity..."
-  nix run nixpkgs#age-plugin-tpm -- --generate --tpm-recipient --output "$id_file"
+  nix-shell -p age-plugin-tpm --run "age-plugin-tpm --generate -o $id_file"
   chmod 0400 "$id_file"
   chown root:root "$id_file"
 fi
 
-# Always derive the legacy age1tpm1… recipient, even if the identity file
-# was generated with the newer p256tag comment (Recipient line starts with
-# age1tag1…). `--convert --tpm-recipient` uses the same TPM object and just
-# serializes the public key point in the old format.
-recipient=$(nix run nixpkgs#age-plugin-tpm -- --convert --tpm-recipient < "$id_file" 2>/dev/null | grep -o 'age1tpm1[0-9a-z]*' | head -n1)
+# Read the recipient directly from the identity file header — no TPM
+# round-trip needed, no nix run, no set -e hazards.
+recipient=$(grep '^# Recipient:' "$id_file" | awk '{print $3}')
 if [[ -z "$recipient" ]]; then
-  # fallback to parsing the header comment (only works when the identity was
-  # already generated with --tpm-recipient).
-  recipient=$(grep '^# Recipient:' "$id_file" | awk '{print $3}')
-fi
-if [[ -z "$recipient" ]]; then
-  echo "failed to derive recipient for $id_file" >&2
+  echo "failed to read recipient from $id_file" >&2
   exit 1
 fi
 
@@ -62,7 +48,7 @@ recipient for $host:
   "$recipient $host"
 
 next steps (run on a workstation with git-crypt unlocked):
-  1. edit secrets/secrets.nix and append the line above inside the \`tpm\` list.
-  2. nix run nixpkgs#agenix -- -r   # re-encrypts every .age file.
+  1. edit secrets/secrets.nix and add the line above to the \`tpm\` list.
+  2. re-encrypt: nix-shell -p age-plugin-tpm rage --run 'agenix -r -i ~/.ssh/id_ed25519'
   3. git commit + ./deploy.sh switch
 EOF