{
  agenix,
  pkgs,
  ...
}: {
  # Agenix manages the deployment of secrets by public-key encrypting them to
  # each system's ssh host key. See the README for more information.
  # https://github.com/ryantm/agenix
  # https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes

  imports = [
    agenix.nixosModules.default
  ];

  # Agenix attempts to decrypt secrets before impermanence symlinks the ssh
  # host key. Refer directly to the key on the persistent partition, which is
  # mounted in stage 1 of the boot process, before agenix runs.
  # https://github.com/ryantm/agenix/issues/45#issuecomment-901383985
  age.identityPaths = ["/nix/persist/etc/ssh/ssh_host_ed25519_key"];

  # `agenix` cli tool
  environment.systemPackages = [
    agenix.packages.${pkgs.system}.default
  ];
}