Question involving terraform, ssh-keys and agenix / agenix-rekey

Context:
I am using Terraform to setup a bunch of nixos machines on a local hackerspaces proxmox cluster (one on each node, all our nodes are a little different, one has storage, another compute, so I need multiple).

I spawn each VM with a very simple nixos image that has open (passwordless) ssh on a setup user inside of network interface that is unreachable from the outside.
After the VM is created, I copy my laptops ssh key to it and do `nixos-rebuild switch –remote-host setup@` and apply the real config for the VM, which configures the network interface, closes ssh and so on.

I am currently trying to find a good method for distributing secrets to my nodes.
Agenix makes sense to me, so for the past few days I have been researching it.

However there are some things that I don’t really understand about using it.

The usecase of agenix makes sense to me when external secrets are being distributed to nixos hosts, i.e. API Keys for accessing an external API. They can be copied into the flake repo and sit there, encrypted by agenix. When the config is reapplied the master key must be given so that nodes can decrypt them when needed.

However, many secrets are only needed for services communicating with each other internally. I.e. for a database user for a web service.
If I was using Terraform with, i.e. Azure, I would probably create a password using the random_password resource and distribute it to the database and webapp. Or I’d use some Azuer internal secret management process, to avoid having the password in my terraform state.

With agenix I’d have to manually create a password and store a “hard-copy” of it in my git repo. I don’t really like this approach, since I want to automatically test a copy of my entire deployment in the future, but without using real secrets.

Is there an approach with agenix that allows me to generate a password “on the fly”?
agenix-rekey seems to have an option for generating secrets, but the option is part of the config of a single host. Will it generate the secret into the secrets directory of the flake?

I cannot generate a secret with terraform and distribute it using nixos-rebuild, because that would break purity.

I could generate a secret using terraform and copy it to the VMs using a file provisioner, but then I’d have it in my state in plaintext.

What is the best approach to take here?

Is purity a requirement? Agenix and sops-nix do allow you to reference encrypted secrets as absolute paths instead of nix-store paths. It doesn’t break impurity since the secrets won’t be used at eval/build time anyway. However, the consequence is that the state of your secrets are not linked to your config and do not rollback or get purely built with them. So you actually can create a secret with terraform and distribute it then have nixos read it in when activated.

I did read up on rekey and considered transitioning to it, but it was more upfront effort cost than I was willing to make. However, they apparently have a mechanism that allows locally rekeyed secrets to be purely built with a bait-and-switch, but does require the master key being available at build time. The other secrets management tools don’t need that, but don’t have that local build options either.

That’s actually a really good idea. Distribute age encrypted secrets with terraform.
Thanks a lot

Yea, I wanna keep evaluations pure if possible.