feat(secrets): agenix init

nixos/modules/base/nix/default.nix

@@ -18,6 +18,7 @@ in
         git
         deadnix
         statix
+        inputs.agenix.packages.${system}.default
       ];
       defaultPackages = [];
       etc = {

nixos/modules/base/secrets.nix

@@ -0,0 +1,24 @@
+{ config, lib, self, ... }:
+
+let
+  inherit (lib) mkIf;
+
+  host = config.ooknet.host;
+  admin = host.admin;
+  tailscale = host.networking.tailscale;
+in
+
+{
+  age.identityPaths = [
+    "/home/${admin.name}/.ssh/id_ed25519"
+  ];
+
+  age.secrets = {
+    tailscale-auth = mkIf tailscale.enable {
+      file = "${self}/secrets/tailscale-auth.age";
+      owner = "${admin.name}";
+      group = "users";
+      mode = "400";
+    };
+  };
+}