There are two potential age plugin opportunities:

1. use an age plugin that retrieves secrets from environment variables (such a plugin does not exist yet, or at least isn't listed in the plugin index on awesome-age). This would allow us to eliminate the need to write the private key to disk. To minimize risk of exposure, the secret is written with a random file name, has read access limited to the current user (or root), and the file is immediately deleted after it's used. A plugin that lets age read the identity from an environment variable would mitigate that risk.

2. Could a plugin perform the 1password integration? I haven't read the plugin api so I don't know yet if it's possible or if it's a good idea.