(yes I know about secrets and /nix/store, when I find the time I’ll be diving into agenix)
However, this fails because programs using .netrc refuse to use it because the actual file is root:root 444 (as all store files) and it must be user:... 400 or similar.
Is there a way to “generate” the actual file with correct user:mode from HM?
Will/can moving to agenix make such things possible?
You can write a script in home.activation that reads some input file and then outputs it to $HOME.
This is also exactly what agenix does. It uses NixOS’ aquivalent of these activation scripts to read an encrypted file, decrypt it with age, and then writes it to /run/secrets.d. The problem is that it’s only implemented for NixOS’ activation scripts, so you can’t use it with home-manaer.
Writing an activation script that does that yourself isn’t terribly hard, though.
An alternative is maybe using systemd's credential features, but I don’t know if it supports user services either, there’s no mention of those in the description. Systemd is quite a bit more paranoid about this, by the way, well worth using over agenix and sops-nix if it’s not too cumbersome.
I’ll take a look at the attempts you linked and/or write the activation script, as you say at least something like that I should be abe to do in my sleep (as opposed to actually writing elegant (or merely working) nix modules )
(as opposed to actually writing elegant (or merely working) 
)