diff --git a/configurations/nixos/tofu/default.nix b/configurations/nixos/tofu/default.nix
index 5a6cb47..28a5cdc 100644
--- a/configurations/nixos/tofu/default.nix
+++ b/configurations/nixos/tofu/default.nix
@@ -1,6 +1,11 @@
 # See /modules/nixos/* for actual settings
 # This file is just *top-level* configuration.
-{ flake, modulesPath, ... }:
+{
+  flake,
+  modulesPath,
+  config,
+  ...
+}:
 
 let
   inherit (flake) inputs;
@@ -15,6 +20,7 @@ in
     tty-ips.enable = true;
     otf = {
       enable = true;
+      environmentFile = config.sops.secrets.otfenv.path;
     };
   };
   networking = {
diff --git a/modules/nixos/common/otf.nix b/modules/nixos/common/otf.nix
index da9284a..27692fe 100644
--- a/modules/nixos/common/otf.nix
+++ b/modules/nixos/common/otf.nix
@@ -19,7 +19,7 @@ in
     };
     package = lib.mkPackageOption pkgs "otf" { };
     pgPackage = lib.mkPackageOption pkgs "postgresql_16" { };
-    environmentFile = lib.mkEnableOption {
+    environmentFile = lib.mkOption {
       type = with lib.types; nullOr path;
       default = lib.types.null;
     };
diff --git a/modules/nixos/common/sops.nix b/modules/nixos/common/sops.nix
index beb3ad4..d40a964 100644
--- a/modules/nixos/common/sops.nix
+++ b/modules/nixos/common/sops.nix
@@ -9,5 +9,14 @@
   imports = [
     flake.inputs.sops-nix.nixosModules.sops
   ];
-  sops.defaultSopsFile = ../../../secrets.yaml;
+  sops = {
+    defaultSopsFile = ../../../secrets.yaml;
+    secrets = {
+      otfenv = {
+        owner = "otf";
+        group = "otf";
+        mode = "0440";
+      };
+    };
+  };
 }