[Feature] Allow merging a .env file with other files from the nix store

[chrichrichri]

Use-case: Many programs require config files containing secrets, but do not allow to load a file or environment variables for these variables easily. So the complete file needs to be age-encrypted, not only the actual secrets. This makes it more complicate to track the changes done on the config files.

Solution: Allow merging config files containing environment variables together with a file containing these environment variables which is coming from the age store and provide these files to the user.

Example:

1. Config file

config_raw.json

{
  "secret"="$SECRET_1",
  "another_secret"="$SECRET_2",
}

2. Age encrypted file:

.env

SECRET_1=foo
SECRET_2=bar

3. Merged file, which is stored in the agenix folder and linked to the specified location:

config.json

{
  "secret"="foo",
  "another_secret"="bar",
}

Currently I am doing this with a separate service using envsubst to decrypt on startup, but this does not seem like the optimal solution:

systemd.services.config_file_creator = {
      after = [ "network.target"];

     serviceConfig = {
        Type= "oneshot";
        User = "<user>";
        EnvironmentFile=config.age.secrets.".env".path;
        ExecStart = ''${pkgs.bash}/bin/bash -c "${pkgs.gettext}/bin/envsubst < ${./config_raw.json} > /folder/path/config.json"'';
      };
    };

I am not sure if it fits to the scope of this project, but if it does, it would be great to have it.