cluster/lib: inject secrets into agenix modules

cluster/lib/services.nix

@@ -2,10 +2,21 @@
 with lib;
 
 let
-  getHostConfigurations = hostName: svcConfig:
-    lib.mapAttrsToList (groupName: _: svcConfig.nixos.${groupName})
-    (lib.filterAttrs (_: lib.elem hostName) svcConfig.nodes);
+  getHostConfigurations = hostName: svcName: svcConfig: let
+    serviceConfigs =
+      lib.mapAttrsToList (groupName: _: svcConfig.nixos.${groupName})
+      (lib.filterAttrs (_: lib.elem hostName) svcConfig.nodes);
 
+    secretsConfig.age.secrets = lib.mapAttrs' (secretName: secretConfig: {
+      name = "cluster-${svcName}-${secretName}";
+      value = {
+        inherit (secretConfig) path mode owner group;
+        file = ../secrets/${svcName}-${secretName}${lib.optionalString (!secretConfig.shared) "-${hostName}"}.age;
+      };
+    }) (lib.filterAttrs (_: secret: lib.any (node: node == hostName) secret.nodes) svcConfig.secrets);
+  in serviceConfigs ++ [
+    secretsConfig
+  ];
 
   introspectionModule._module.args.cluster = {
     inherit (config) vars;
@@ -20,7 +31,7 @@ in
     default = {};
   };
 
-  config.out.injectNixosConfig = hostName: (lib.flatten (lib.mapAttrsToList (_: getHostConfigurations hostName) config.services)) ++ [
+  config.out.injectNixosConfig = hostName: (lib.flatten (lib.mapAttrsToList (getHostConfigurations hostName) config.services)) ++ [
     introspectionModule
   ];
 }