Add agenix secrets management

Phase 3: Encrypted secrets

- Add secrets module with agenix integration
- Create secrets/secrets.nix template for key definitions
- Installer generates SSH key if missing
- Installer creates personalized secrets.nix with user's key
- Full documentation in docs/SECRETS.md

Features:
- Secrets encrypted with age using SSH keys
- Decrypted automatically at system activation
- Safe to commit .age files to git
- Support for WiFi passwords, API keys, service credentials

Usage:
  agenix -e secrets/my-secret.age
  age.secrets.my-secret.file = ./secrets/my-secret.age;

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

secrets/secrets.nix

@@ -0,0 +1,41 @@
+# Secrets configuration for agenix
+#
+# This file defines which public keys can decrypt each secret.
+# Secrets are encrypted with `agenix -e <secret>.age`
+#
+# To set up:
+# 1. Get your user's SSH public key: cat ~/.ssh/id_ed25519.pub
+# 2. Get the host's SSH public key: ssh-keyscan localhost 2>/dev/null | grep ed25519
+# 3. Add keys below and run: agenix -e <secret>.age
+
+let
+  # User SSH public keys (for encrypting secrets on your machine)
+  # Example: user = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... user@host";
+
+  # Host SSH public keys (for decrypting on target machines)
+  # Get with: ssh-keyscan <hostname> | grep ed25519
+  # Example: host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA...";
+
+  # Define your keys here:
+  # user = "ssh-ed25519 AAAAC3...";
+  # host = "ssh-ed25519 AAAAC3...";
+
+  # For testing/example, use an empty list (secrets won't be encryptable)
+  allKeys = [
+    # user
+    # host
+  ];
+in {
+  # Example secrets - uncomment and add keys above to use:
+
+  # WiFi password for specific network
+  # "wifi-home.age".publicKeys = allKeys;
+
+  # API keys
+  # "github-token.age".publicKeys = allKeys;
+  # "openai-api-key.age".publicKeys = allKeys;
+
+  # Application secrets
+  # "syncthing-key.age".publicKeys = allKeys;
+  # "mullvad-account.age".publicKeys = allKeys;
+}