sops: first secret integration (nix-settings)

common/nix-settings.nix

@@ -18,6 +18,22 @@ in
     };
     nixPath = lib.mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry;
   };
+  sops = {
+    secrets."nix/access-tokens" = {
+      owner = "root";
+      group = "users";
+      mode = "0440";
+      sopsFile = ./secrets.yaml;
+    };
+    templates.nix-secrets = {
+      content = ''
+        access-tokens = ${config.sops.placeholder."nix/access-tokens"}
+      '';
+      owner = "root";
+      group = "users";
+      mode = "0440";
+    };
+  };
   nix.settings = builtins.mapAttrs (_: lib.mkDefault) {
     # keep around all inputs necessary for offline-rebuilding the system
     keep-outputs = true;
@@ -35,6 +51,6 @@ in
   # TODO: manage access token with sops instead of manual deployment
   # permissions: needs to be readable by the user invoking nix and root (for nix daemon)
   nix.extraOptions = ''
-    !include /etc/nix/secrets.conf
+    !include ${config.sops.templates.nix-secrets.path}
   '';
 }