feat: Encryption

users/crumb/programs/age.nix

@@ -1,8 +1,18 @@
 { config, lib, pkgs, ... }:
 
-{
+let mutableSymlink = config.lib.file.mkOutOfStoreSymlink;
+in {
   home.packages = [
     # Rage supports pinentry while Age does not.
     pkgs.rage
   ];
+
+  # Private keys must be mutable symlinks since we don't want the key inside the
+  # world-readable store.
+  home.file."private-keys/age/crumb.age".source =
+    mutableSymlink "/persist/private-keys/age/${config.home.username}.age";
+
+  home.file."public-keys/age/crumb.pub".source =
+    ../../../public-keys/age/${config.home.username}.pub;
 }
+