fix: fix _agenix_generation being (very shortly) empty if readlink fails

[teatwig]

I'm currently trying to improve agenix (mostly for myself) and realized that _agenix_generation never gets set properly.
When basename wraps readlink in quotes, the or condition that would return 0 never gets executed because basename "" doesn't fail.

This isn't really a problem atm because (( ++_agenix_generation )) will treat empty variables as if they were 0, but might lead to some issues in the future.
I moved the condition to the readlink subshell, which shouldn't cause any issues since basename "0" will just return 0.
I also wrapped ${cfg.secretsDir}in quotes in case someone sets it to a path with spaces.

[teatwig]

I also find it interesting that activation scripts apparently share shell variables?
Since agenixNewGeneration currently sets _agenix_generation, which is then used by the separate activation script agenixInstall.

This makes recalculating _agenix_generation in cleanupAndLink a bit unnecessary, because all the installSecret steps that happen before it already expect it to be set.

I'd open a new PR or update this one to refactor the logic for setting _agenix_generation into a separate variable which is used at the start of both agenixNewGeneration and agenixInstall.

But please let me know if I missed anything 😅