feat: cache decrypted repository "secrets"

nix/extra-builtins.nix

@@ -22,8 +22,11 @@
   in
     lenContent >= lenSuffix && builtins.substring (lenContent - lenSuffix) lenContent content == suffix;
 in {
+  # Instead of calling rage directly here, we call a wrapper script that will cache the output
+  # in a predictable path in /tmp, which allows us to only require the password for each encrypted
+  # file once.
   rageImportEncrypted = identities: nixFile:
     assert assertMsg (builtins.isPath nixFile) "The file to decrypt must be given as a path to prevent impurity.";
     assert assertMsg (hasSuffix ".nix.age" nixFile) "The content of the decrypted file must be a nix expression and should therefore end in .nix.age";
-      exec (["rage" "-d"] ++ (builtins.concatMap (x: ["-i" x]) identities) ++ [nixFile]);
+      exec ([./rage-decrypt.sh nixFile] ++ identities);
 }