agenix

modules/home/agenix.nix

@@ -0,0 +1,16 @@
+{ flake, config, ... }:
+let
+  inherit (flake.inputs) agenix;
+in
+{
+  imports = [
+    agenix.homeManagerModules.default
+  ];
+
+  # We use a separate SSH key for agenix decryption to avoid exposing the main
+  # private key (which is in 1Password) to the filesystem.
+  #
+  # To provision this key once:
+  #   ssh-keygen -t ed25519 -f ~/.ssh/agenix
+  age.identityPaths = [ "${config.home.homeDirectory}/.ssh/agenix" ];
+}

modules/home/default.nix

@@ -12,5 +12,6 @@
     # ./cli/zellij.nix
     ./cli/just.nix
     ./services/ttyd.nix
+    ./agenix.nix
   ];
 }

modules/home/work/juspay.nix

@@ -7,12 +7,11 @@
 { flake, config, ... }:
 let
   inherit (flake) self;
-  inherit (flake.inputs) jumphost-nix agenix;
+  inherit (flake.inputs) jumphost-nix;
 in
 {
   imports = [
     "${jumphost-nix}/module.nix"
-    agenix.homeManagerModules.default
   ];
 
   # https://github.com/srid/jumphost-nix
@@ -41,7 +40,6 @@ in
     # ANTHROPIC_API_KEY set in initExtra via agenix (see below)
   };
   age = {
-    identityPaths = [ "${config.home.homeDirectory}/.ssh/agenix" ];
     secrets = {
       juspay-anthropic-api-key.file = self + /secrets/juspay-anthropic-api-key.age;
     };