add environment file mechanism for secrets

modules/flake/deploy.nix

@@ -5,7 +5,6 @@ let
     deploy-rs
     nixpkgs
     nixos-anywhere
-    agenix
     ;
   inherit (nixpkgs) lib;
 
@@ -30,11 +29,11 @@ in
     {
       apps = rec {
         default = deploy;
-        secrets = {
+        # secrets = {
-          type = "app";
+        #   type = "app";
-          program = "${agenix.packages.${system}.agenix}/bin/agenix";
+        #   program = "${agenix.packages.${system}.agenix}/bin/agenix";
-          meta.description = "";
+        #   meta.description = "";
-        };
+        # };
         install = {
           type = "app";
           program = "${nixos-anywhere.packages.${system}.nixos-anywhere}/bin/nixos-anywhere";

modules/nixos/common/otf.nix

@@ -19,6 +19,10 @@ in
     };
     package = lib.mkPackageOption pkgs "otf" { };
     pgPackage = lib.mkPackageOption pkgs "postgresql_16" { };
+    environmentFile = lib.mkEnableOption {
+      type = with lib.types; nullOr path;
+      default = lib.types.null;
+    };
     # this application is configured entirely by environment variables and needs to be exposed
     environment = lib.mkOption {
       type =
@@ -85,6 +89,7 @@ in
         WorkingDirectory = cfg.dataDir;
         ExecStart = "${cfg.package}/bin/otfd";
         Restart = "on-failure";
+        EnvironmentFile = lib.mkIf (cfg.environment.file != null) cfg.environment.file;
       };
     };
   };