Add agenix secrets management

Phase 3: Encrypted secrets

- Add secrets module with agenix integration
- Create secrets/secrets.nix template for key definitions
- Installer generates SSH key if missing
- Installer creates personalized secrets.nix with user's key
- Full documentation in docs/SECRETS.md

Features:
- Secrets encrypted with age using SSH keys
- Decrypted automatically at system activation
- Safe to commit .age files to git
- Support for WiFi passwords, API keys, service credentials

Usage:
  agenix -e secrets/my-secret.age
  age.secrets.my-secret.file = ./secrets/my-secret.age;

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

modules/default.nix

@@ -6,5 +6,6 @@
     ./services
     ./programs
     ./performance
+    ./secrets
   ];
 }

modules/secrets/default.nix

@@ -0,0 +1,42 @@
+# Secrets management with agenix
+# Secrets are encrypted with age and decrypted at system activation
+{
+  config,
+  lib,
+  pkgs,
+  inputs,
+  nomarchyConfig,
+  ...
+}: let
+  # Check if secrets directory exists and has secrets
+  secretsPath = ../../secrets;
+  hasSecrets = builtins.pathExists secretsPath;
+in {
+  # Import agenix module
+  imports = lib.optionals hasSecrets [
+    inputs.agenix.nixosModules.default
+  ];
+
+  config = lib.mkIf hasSecrets {
+    # Install agenix CLI for managing secrets
+    environment.systemPackages = [
+      inputs.agenix.packages.${pkgs.system}.default
+    ];
+
+    # Configure age to use SSH host keys for decryption
+    age.identityPaths = [
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_rsa_key"
+    ];
+
+    # Example secrets configuration (users override in their config)
+    # age.secrets = {
+    #   wifi-password = {
+    #     file = ../../secrets/wifi-password.age;
+    #     owner = "root";
+    #     group = "root";
+    #     mode = "0400";
+    #   };
+    # };
+  };
+}