The "unencrypted identity" warning is triggered when it shouldn't be

The warning at

Lines 163 to 164 in dbe0dc1

    
                 optional (!all hasGoodSuffix config.age.rekey.masterIdentities) '' 
        
                   At least one of your rekey.masterIdentities references an unencrypted age identity in your nix store!

gets triggered, AFAICT, in any case some master identity path is not ending with .pub or .age, even when it's specified as a string referencing something outside the nix store (which is, mind, an option endorsed by the warning itself).

I'm not a Nix expert by a long shot, but I don't think anything's copied to the nix store if I have something like, e.g., age.rekey.masterIdentities = [ "/home/user/.ssh/id_ed25519" ];?

Perhaps consider checking builtins.isPath in

agenix-rekey/modules/agenix-rekey.nix

Line 160 in dbe0dc1

hasGoodSuffix = x: (hasSuffix ".age" x || hasSuffix ".pub" x);

?

Yes you're right, this shouldn't occur in that case. Probably an oversight of mine because most users are using keygrabs. Generally it's okay to refer to a path outside your nix flake via a string, but not via an (impure) nix path. So using isString should indeed solve that, will add that right now.

	optional (!all hasGoodSuffix config.age.rekey.masterIdentities) ''
	At least one of your rekey.masterIdentities references an unencrypted age identity in your nix store!