{
  pkgs,
  inputs,
  ...
}:
let
  # Wrap rage so age-plugin-tpm is on PATH at activation time.
  # Both mreow and yarn use age1tpm1… recipients (legacy P-256 encoding),
  # which age-plugin-tpm handles under its own name.
  rageWithTpm = pkgs.writeShellScriptBin "rage" ''
    export PATH="${pkgs.age-plugin-tpm}/bin:$PATH"
    exec ${pkgs.rage}/bin/rage "$@"
  '';
in
{
  imports = [
    inputs.agenix.nixosModules.default
  ];

  # Expose the plugin + agenix CLI for interactive edits (`agenix -e …`).
  environment.systemPackages = [
    inputs.agenix.packages.${pkgs.system}.default
    pkgs.age-plugin-tpm
  ];

  age.ageBin = "${rageWithTpm}/bin/rage";

  # Primary identity: TPM-sealed key, generated by scripts/bootstrap-desktop-tpm.sh.
  # Fallback identity: admin SSH key. age tries paths in order, so if the TPM
  # is wiped or the board is replaced the SSH key keeps secrets accessible until
  # the TPM is re-bootstrapped. Both are encrypted recipients on every .age file.
  age.identityPaths = [
    "/var/lib/agenix/tpm-identity"
    "/home/primary/.ssh/id_ed25519"
  ];

  # Ensure the identity directory exists before agenix activation so a fresh
  # bootstrap doesn't race the directory creation.
  systemd.tmpfiles.rules = [
    "d /var/lib/agenix 0700 root root -"
  ];

  age.secrets = {
    # Secureboot PKI bundle (db/KEK/PK keys + certs) consumed by lanzaboote
    # via desktop-lanzaboote-agenix.nix at activation time.
    secureboot-tar = {
      file = ../secrets/desktop/secureboot.tar.age;
      mode = "0400";
      owner = "root";
      group = "root";
    };

    # netrc for the private nix binary cache.
    nix-cache-netrc = {
      file = ../secrets/desktop/nix-cache-netrc.age;
      mode = "0400";
      owner = "root";
      group = "root";
    };

    # yescrypt hash for the primary user.
    password-hash = {
      file = ../secrets/desktop/password-hash.age;
      mode = "0400";
      owner = "root";
      group = "root";
    };

  };
}