secrets overhaul: use tpm for laptop (need to migrate desktop later)

modules/desktop-common.nix

@@ -17,9 +17,10 @@
     ./desktop-vm.nix
     ./desktop-steam.nix
     ./desktop-networkmanager.nix
+    ./desktop-age-secrets.nix
+    ./desktop-lanzaboote-agenix.nix
 
     inputs.disko.nixosModules.disko
-    inputs.lanzaboote.nixosModules.lanzaboote
 
     inputs.nixos-hardware.nixosModules.common-cpu-amd-pstate
     inputs.nixos-hardware.nixosModules.common-cpu-amd-zenpower
@@ -50,16 +51,6 @@
       mkdir -p /nix/var/nix/profiles/per-user/root/channels
     '';
 
-    # extract all my secureboot keys
-    # TODO! proper secrets management
-    "secureboot-keys".text = ''
-      #!/usr/bin/env sh
-      rm -fr ${config.boot.lanzaboote.pkiBundle} || true
-      mkdir -p ${config.boot.lanzaboote.pkiBundle}
-      ${lib.getExe pkgs.gnutar} xf ${../secrets/desktop/secureboot.tar} -C ${config.boot.lanzaboote.pkiBundle}
-      chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
-      chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
-    '';
   };
 
   swapDevices = [ ];
@@ -71,7 +62,7 @@
     trusted-public-keys = [
       site_config.binary_cache.public_key
     ];
-    netrc-file = "${../secrets/desktop/nix-cache-netrc}";
+    netrc-file = config.age.secrets.nix-cache-netrc.path;
   };
 
   # cachyos kernel overlay
@@ -896,8 +887,7 @@
       "camera"
       "adbusers"
     ];
-    # TODO! this is really bad :( I should really figure out how to do proper secrets management
-    hashedPasswordFile = "${../secrets/desktop/password-hash}";
+    hashedPasswordFile = config.age.secrets.password-hash.path;
   };
 
   services.gvfs.enable = true;