Modules: Add agenix module

.gitignore

@@ -10,3 +10,4 @@ result
 config/neovim/store
 home/modules/ags/config/types
 home/modules/ags/config/tsconfig.json
+home/modules/agenix/secrets.nix

home/modules/agenix/default.nix

@@ -0,0 +1,50 @@
+{
+  config,
+  nixosConfig,
+  lib,
+  mylib,
+  pkgs,
+  username,
+  publicKeys,
+  ...
+}: let
+  inherit (config.modules) agenix;
+in {
+  options.modules.agenix = import ./options.nix {inherit lib mylib;};
+
+  config = {
+    # The user will be able to decrypt .age files using agenix.
+    # On each user/machine, this should generate a corresponding secrets.nix
+    home.file."${config.paths.nixflake}/home/modules/agenix/secrets.nix".text = let
+      mkSecret = key: name: "\"${name}.age\".publicKeys = [\"${key}\"];";
+    in ''
+      # NOTE: This file will contain keys depending on the host/by which user it was built on.
+      {
+        ${lib.optionalString
+        # If this user defined any secrets...
+        (builtins.hasAttr "${username}" agenix.secrets)
+        # ...we will add them to the current secrets.nix,
+        # s.t. agenix can be used to encrypt the secret.
+        (builtins.concatStringsSep "\n"
+          (builtins.map
+            (mkSecret publicKeys.${username}.ssh)
+            agenix.secrets.${username}))}
+      }
+    '';
+
+    age.secrets = let
+      mkSecretIfExists = name:
+      # If this user has already encrypted the secret...
+        if builtins.pathExists ./${name}.age
+        # ...we will register it with age...
+        then {${name}.file = ./${name}.age;}
+        # ...otherwise we link to a bogus file.
+        else {${name}.file = ./void.age;};
+    in
+      lib.mkIf
+      # If this user defined any secrets...
+      (builtins.hasAttr "${username}" agenix.secrets)
+      # ...we will register all secrets files that have already been generated.
+      (lib.mkMerge (builtins.map mkSecretIfExists agenix.secrets.${username}));
+  };
+}

home/modules/agenix/options.nix

@@ -0,0 +1,33 @@
+{
+  lib,
+  mylib,
+  ...
+}: let
+  mkSecret = file:
+    lib.mkOption {
+      type = lib.types.path;
+      default = file;
+    };
+in {
+  secrets = lib.mkOption {
+    type = lib.types.attrs;
+    description = "The secret files managed by agenix (and their associated keys)";
+    example = ''
+      {
+        christoph = [
+          "heidi-discord-token"
+          "kopia-password"
+          "kopia-server-username"
+          "kopia-server-password"
+        ];
+      }
+    '';
+
+    default = {};
+  };
+
+  heidi-discord-token = mkSecret ./heidi-discord-token.age;
+  kopia-user-password = mkSecret ./kopia-user-password.age;
+  kopia-server-user = mkSecret ./kopia-server-user.age;
+  kopia-server-password = mkSecret ./kopia-server-password.age;
+}

home/modules/agenix/void.age

@@ -0,0 +1 @@
+This secret has not been generated.

home/modules/default.nix

@@ -3,6 +3,7 @@
     # Obsolete modules are kept in "1_deprecated" for reference.
 
     # My own HM modules
+    ./agenix
     ./beets
     ./chromium
     ./color
@@ -26,6 +27,7 @@
     # HM modules imported from the flake inputs
     inputs.nix-flatpak.homeManagerModules.nix-flatpak
     inputs.nixvim.homeManagerModules.nixvim
+    inputs.agenix.homeManagerModules.default
     # inputs.ags.homeManagerModules.default
     # inputs.spicetify-nix.homeManagerModules.default
   ];