nix/modules/agenix.nix

# modules/agenix.nix -- encrypt secrets in nix store
{
  options,
  config,
  inputs,
  lib,
  pkgs,
  ...
}:
with builtins;
with lib;
# with lib.my;
  let
    inherit (inputs) agenix;
    secretsDir = "${toString ../hosts}/${config.networking.hostName}/secrets";
    secretsFile = "${secretsDir}/secrets.nix";
  in {
    imports = [agenix.nixosModules.age];
    environment.systemPackages = [agenix.defaultPackage.x86_64-linux];

    age = {
      secrets =
        if pathExists secretsFile
        then
          mapAttrs' (n: _:
            nameValuePair (removeSuffix ".age" n) {
              file = "${secretsDir}/${dir}/${n}";
            }) (import secretsFile)
        else {};
      identityPaths = options.age.identityPaths.default;
    };
  }