Reference agenix path from HM’s file-type?

[sellout]

I’m surprised this is the first time I’ve run into this situation and am wondering what the best way to deal with it is.

I have a dotfile containing some secrets, so my home.nix has

age.secrets.someApp = {
  file = ../secrets/someApp.yaml.age;
  path = let
    prefix =
      if pkgs.stdenv.hostPlatform.isDarwin
      then "${config.home.homeDirectory}/Library/Application Support"
      else config.xdg.configHome;
  in "${prefix}/someApp.yml";
};

However, I’ve now created a HM module for someApp, and want to encapsulate the slightly-complicated logic for where the config file lives.

My first thought was to be able to do

{
  age.secrets.someApp.file = ../secrets/someApp.yaml.age;
  programs.someApp = {
    enable = true;
    settings = config.age.secrets.someApp.path;
  };
}

with a module like

let
  t = lib.types;

  prefix =
    if pkgs.stdenv.hostPlatform.isDarwin
    then "${config.home.homeDirectory}/Library/Application Support"
    else config.xdg.configHome;
in {
  options.programs.someApp.settings = lib.mkOption {
    type = t.nullOr (t.either t.path yamlFormat.type);
  };

  config.home.file."${prefix}/someApp.yml" = lib.mkIf (cfg.settings != null) {
    source =
      if lib.isString cfg.settings
      then cfg.settings
      else yamlFormat.generate "someApp config" cfg.settings;
  };
}

which would let me either construct the YAML from Nix, or symlink the file to the correct location. Except that it doesn’t work to symlink it like that (“access to absolute path '…' is forbidden in pure eval mode”).

Another approach is to expose the config file path as a read-only option and do

{
  age.secrets.someApp = {
    file = ../secrets/someApp.yaml.age;
    path = config.programs.someApp.configFile;
  };
  programs.someApp.enable = true;
}

but that feels backward to me.

Is there some other approach that I’m missing that allows me to pass the agenix path value to the module, and wind up with the decrypted file symlinked to the correct location?