prep: setup sops demo for otf

configurations/nixos/tofu/default.nix

@@ -1,6 +1,11 @@
 # See /modules/nixos/* for actual settings
 # This file is just *top-level* configuration.
-{ flake, modulesPath, ... }:
+{
+  flake,
+  modulesPath,
+  config,
+  ...
+}:
 
 let
   inherit (flake) inputs;
@@ -15,6 +20,7 @@ in
     tty-ips.enable = true;
     otf = {
       enable = true;
+      environmentFile = config.sops.secrets.otfenv.path;
     };
   };
   networking = {

modules/nixos/common/otf.nix

@@ -19,7 +19,7 @@ in
     };
     package = lib.mkPackageOption pkgs "otf" { };
     pgPackage = lib.mkPackageOption pkgs "postgresql_16" { };
-    environmentFile = lib.mkEnableOption {
+    environmentFile = lib.mkOption {
       type = with lib.types; nullOr path;
       default = lib.types.null;
     };

modules/nixos/common/sops.nix

@@ -9,5 +9,14 @@
   imports = [
     flake.inputs.sops-nix.nixosModules.sops
   ];
-  sops.defaultSopsFile = ../../../secrets.yaml;
+  sops = {
+    defaultSopsFile = ../../../secrets.yaml;
+    secrets = {
+      otfenv = {
+        owner = "otf";
+        group = "otf";
+        mode = "0440";
+      };
+    };
+  };
 }