diff --git a/nixos/base/nix.nix b/nixos/base/nix.nix
index a8ec9801..63e245b5 100644
--- a/nixos/base/nix.nix
+++ b/nixos/base/nix.nix
@@ -1,43 +1,56 @@
-{ config, lib, pkgs, inputs, ... }:
-
-{
-  boot.loader.grub.configurationLimit = 8;
-  boot.loader.systemd-boot.configurationLimit = 8;
-
-  nix = {
-    nixPath = [
-      "nixpkgs=${inputs.nixpkgs}"
-      "nur=${inputs.nur}"
-      "arc=${inputs.arcexprs}"
-      "ci=${inputs.ci}"
-    ];
-    registry = {
-      nixpkgs.flake = inputs.nixpkgs;
-      nur.flake = inputs.nur;
-      arc.flake = inputs.arcexprs;
-      ci.flake = inputs.ci;
+{ config, options, lib, inputs, ... }: let
+  inherit (lib.modules) mkIf mkDefault;
+  hasSops = options ? sops;
+in {
+  config = {
+    boot.loader = {
+      grub.configurationLimit = 8;
+      systemd-boot.configurationLimit = 8;
     };
-    settings = {
-      experimental-features = lib.optional (lib.versionAtLeast config.nix.package.version "2.4") "nix-command flakes";
-      substituters = [
-        "https://gensokyo-infrastructure.cachix.org"
-        "https://arc.cachix.org" "https://kittywitch.cachix.org"
-        "https://nix-community.cachix.org"
+
+    nix = {
+      nixPath = [
+        "nixpkgs=${inputs.nixpkgs}"
+        "nur=${inputs.nur}"
+        "arc=${inputs.arcexprs}"
+        "ci=${inputs.ci}"
       ];
-      trusted-public-keys = [
+      registry = {
+        nixpkgs.flake = inputs.nixpkgs;
+        nur.flake = inputs.nur;
+        arc.flake = inputs.arcexprs;
+        ci.flake = inputs.ci;
+      };
+      settings = {
+        experimental-features = lib.optional (lib.versionAtLeast config.nix.package.version "2.4") "nix-command flakes";
+        substituters = [
+          "https://gensokyo-infrastructure.cachix.org"
+          "https://arc.cachix.org" "https://kittywitch.cachix.org"
+          "https://nix-community.cachix.org"
+        ];
+        trusted-public-keys = [
           "gensokyo-infrastructure.cachix.org-1:CY6ChfQ8KTUdwWoMbo8ZWr2QCLMXUQspHAxywnS2FyI="
           "arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY="
           "kittywitch.cachix.org-1:KIzX/G5cuPw5WgrXad6UnrRZ8UDr7jhXzRTK/lmqyK0="
           "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
           "ryantrinkle.com-1:JJiAKaRv9mWgpVAz8dwewnZe0AzzEAzPkagE9SP5NWI="
         ];
-      auto-optimise-store = true;
-      trusted-users = [ "root" "@wheel" ];
+        auto-optimise-store = true;
+        trusted-users = [ "root" "@wheel" ];
+      };
+      extraOptions = mkIf hasSops ''
+        !include ${config.sops.secrets.github-access-token-public.path}
+      '';
+      gc = {
+        automatic = mkDefault true;
+        dates = mkDefault "weekly";
+        options = mkDefault "--delete-older-than 7d";
+      };
     };
-    gc = {
-      automatic = lib.mkDefault true;
-      dates = lib.mkDefault "weekly";
-      options = lib.mkDefault "--delete-older-than 7d";
+    ${if hasSops then "sops" else null}.secrets.github-access-token-public = {
+      sopsFile = mkDefault ../secrets/nix.yaml;
+      group = mkDefault "users";
+      mode = mkDefault "0644";
     };
   };
 }
diff --git a/nixos/secrets/nix.yaml b/nixos/secrets/nix.yaml
new file mode 100644
index 00000000..86cb7c47
--- /dev/null
+++ b/nixos/secrets/nix.yaml
@@ -0,0 +1,102 @@
+github-access-token-public: ENC[AES256_GCM,data:N1xzd5ULEYWgYNJkX5V4ofU4uFPTToPCank1jDjcd10LPIvJZZKry6eA0oWOpl6oPRyjTWoVi8JT2cmuuLoKz3FfV38dds1OuMxzvcfSLn6ukeQh9OMy4wLSkHWYRSH4vbF1bCHRJwlxv1zqNQ43fZLn3Ukgb8UHw9LeXUu+KiuQL9XtEKU/qK6HBOY3vxzorDuutL1CWWeD0csKWeA01UjJf1Ey5MmI0ZxFYeKZwQbbxlNN+t6ZaMg4tJ4dfQDTIKcs5/UdWLK/JLozXkaGDOTnIlvXtyKaLmjq8UTTsatguT31562OYUnLc0BuzaGDew==,iv:bZNOj/lhU35sKLgt9taowQJNlMoUpMoLZ76QyOK/HMM=,tag:VS2UxfRD6HF0waknya4kSA==,type:str]
+sops:
+    shamir_threshold: 1
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCMmlUVHF4cS8ycWhsK3pV
+            MWhBbXJjYzYrb2tWcWUyZnlZeTE2OGNjS1FnCkxVbTZVMURDclRQMERWZkxRRHRD
+            cXRXdW5va3h3SjFsckk5MlZmWVFzVG8KLS0tIFpGU3VoWFp5dGtjczdLK0c3ejRB
+            YlUwS251L1pwUGpPOGJxSnhPSTI2SFUK59ZaWOL/HI37B2BwrLK4BoDD10iWXi+m
+            /eOhNF1XzowvSU0G8lHGes3uMCPabs9SZ8dW0+T+eKZXH+5uDr2e2w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age176uyyyk7veqnzmm8xzwfhf0u23m6hm02cldlfkldunqe6std0gcq6lg057
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDcTRHbDB4TXQ0bVlSejhu
+            dkpOVXBISnl3S3pjVmppZzl1c3VTMDQvbEM0CndvN0x2WGhoT0lLeTQ5ekc2OVpz
+            Uzh1Z1RrbGdaNVZOREtraGcvWHpLQWMKLS0tIDExd2ZWTjh4TWpaQ1M1M0t5VWZD
+            ZG45YkhlTng2bHhMbGp1ZS9ISzR2bHcK1suDXGZO9IP7NWLqImee7PZoXsY99j+6
+            +CoH2IAUvqnykTGhV6PdLrjfNuya3AypN6fw5HZBDMmWRVaHwFzsQg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age10t6kc5069cyky929vvxk8aznqyxpkx3k5h5rmlyz83xtjmr22ahqe8mzes
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4ZnF6cG5BQXV5RGQ4aEJO
+            QzNmU09qSGlYY0wxQk13OXhxOU05cmZnM2lzClFVWklBVFUrMlVPa0MrYW1JekVn
+            dm8zQmlhWENQYkdhRmtpMCtiNG1ncVkKLS0tIDBrZlRyZlhLVTQycTRzaGp5UDJp
+            U1Q2cEJpSTlSYklZNDhFRDh3ekh6MUUK/+SANslFoRfZlCPNvJeabvWt5ZBrGqY7
+            F8uWbzGDSv4yByRIxJzrrQr2INgRHro/qOVccxErx876XK8keamdVw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnRDArODY4Zit5Q2F3L0Jy
+            THZvNWtTMnNVVFpCOWVWSE9GQUFCT3QybFYwCndFVVFydDZvQ2drQkFEQ2x0R3Bn
+            UGlnamFsdllablRHNHpMemdLbllKWjAKLS0tIDFUNDdYaUxzWTJTUFgxT2FzaU5U
+            M042VWI3N0NleFFXbUxFSDFXaVJ4U0kKRO2eZ01r5JMVTvEgaAP0Vp3g4r+Ff7sx
+            0zD2dpvUwo6Ft10lFCfuIcmvmkTK7ClA1BslAJT3fwJGpxAFVczvJA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16klpkaut5759dut8mdm3jn0rnp8w6kxyvs9n6ntqrdsayjtd7upqlvw489
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ZFlXVzV1N0ZTRlVLMXhz
+            MGFUV3drQVBTVTlvbWp1V2JaRytzdE44bVVrClJUVXBZN3VBLzJLZHZ5ZFY2U0Qz
+            WEtlWVd5OWJOODN2S29XSHRISkpMdTQKLS0tIFRqemVFWldXYTFtUVYwbkNQNGVZ
+            QlFic3RWYjJEUkZ6U0xrdkpmTndOTU0Kk/Om4gH4KvcJD2ktwVWlHi2a0Rx0arUm
+            W2PWZgsgjknWiPU9LGV47BfFo1aevbMsOYkdyiDyNwrUX3RKD5uehw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age13qgddr326g5je0fpq2r3k940vsr3fh9nlvl9xtcxk3xg2x0k3vsq7pvzaj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlNXdocVYzTU9yNk41R1RB
+            UkdNNkI3T0szZ3BNY09EUVN0cUNBWDJ0VlRrCi9wNGpjcXR2ci9NQWYrdkxUd2lI
+            OG1RbHBoUlNHOHhlaGw3RWtwTTBQZzQKLS0tIEhWWjVxTkdOWFRDd1pnMjZ3bWVR
+            NitvR2lhMUZrQThRWFJLOVViSkM4eEEKi/aEGz+xaCnLdpA6byTHOU3ZTKg7MQBg
+            3tX22oDoRRnRGBj/t+/m5jVb/ejjDtli3T3VZQ1sCDPdjb2bpKwhPg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-03-07T17:38:57Z"
+    mac: ENC[AES256_GCM,data:bfEjoQIXO8/fUZBvb+vV6sEdh/Bd4yulVV63gJhDdZPIRTrSeuhRmKubqf39affw2KYkWDd9GD7+CKQGc3ivaWtyaBHOxjI2RUb330N3H4xIUbYltwLSeHwVZIMB2wiDb2DfN2EScTaMgktAQaVMjcj9w6UQ0XeAicfQdANKbus=,iv:8xJf8kOA2AuvcPaqbQ7wwoC+DMCLYAhBzusTJu0OjW0=,tag:wahF3zrdi/A1RUwNEQRhYw==,type:str]
+    pgp:
+        - created_at: "2024-03-07T17:28:24Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA82M54yws73UAQ/8CW2ELfj/W5vLXTrxfmMAMt1SICVXk5/DCU/6fprp5hXk
+            qsZZzZ0R8TP/QmbwGGLxUAUryROCcXMNk1+x4/840ALuSEkO6JwI1iilDLzYW8xr
+            ZITNaY6s4btlvFH92lAJkCqtNL9d+cCwZooE0Rq6OQRe0OM4hXOA2M7T0wPEW6At
+            IqVzJ1GCJ2qcVv0jR9FVPHNHcyHa8Q2aKwLvfgKAkRFdy+f5GicKcdK6wFbuMRRk
+            I8jdcV7uabCnWcD+n9UUFlnJApWoOiOVsVZNOgp2CsbwlEJevEqaul1Aa12Z6OmP
+            Q0/oH06emZK/4hIUHBLGWCktaU98i3KKodYv+yOtgY7uG+k289r+JYCD8/HtV8OI
+            +YRpGzi5wMbJ/lE/zqaBVibv2e0MbqVVdzWkJ1YQ9zKGsQMEfbm3zHE3aooBNX8w
+            robzqbnW33Xe9/WYGJd6CIWAdnvC6p3GX9TXJbNtdB4weKWQat9FlxWdKt0z2A3F
+            h52Rv65jKAtsVaQsgJCQiUzURNH9mBUBoNZ7iQWHSNoaOTySZ0ZKvFyfa0vKg+F1
+            SKBMc+gDcxeC/dsGcs4Pcc3/xzRNvTHoCWzUqTt96LDWyKBZyb41wnJj+5SJ6U1E
+            gT4QoLeHejSOfncRHuM0lRyXvoQWL9cv4uZD4lZiI2YZMxKhmn5jQFYB0m4pc9TS
+            XgFp3pvlQzKLQ+mmNu4Hv4x92TQAKkT2QdvGeacxBxi2PL5zbe1XnKBDiQ7aq1YB
+            Td0ZSF/DqAUPd7Crr3s9DXx7LW1J7k0hDsI7r3/0qz7Z2yDs8f88tr3JgOfwVb4=
+            =f5zj
+            -----END PGP MESSAGE-----
+          fp: CD8CE78CB0B3BDD4
+        - created_at: "2024-03-07T17:28:24Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMA2W9MER3HLb7AQgAr8nG6rV8LxyTFYLJYuLv4K2jtJ7QMZiUMXcaLo50XHUp
+            1e17lmmHt9qByT0dXV7CR69BIw235i61xFyciaSbEb3bzHBh14EdPYZyV54GxQoM
+            qxZ4x48dBw/ECBOm8G8D3DFtrLJ7Ws8/EYW2eg7/la6/d1v57oU14iEMqxmX2iZH
+            kc7yDHT0IFe4kX4Tdb7DHLY8eG3ePn5u53Af8wF6Ic9mshlrpK8bi1V2yIgoWo1e
+            liGZoD380P/Fmdz7fgOnBmCL58lmR4vWHw9USjyVH+/v4D25XrhIWqjCACFhOF9m
+            iROwqHH9ViLPHJiHD9ZINKi4R8tB8q4qV4rcXI1ZKdJeAUSlqJkHYMvVcdMQdk5K
+            +VDySZohhnC0tLgQ23tcn3ZzlWBJ+IQ9fWarrjcdpVTVZdtaEwSsM7oR8q9dc+qP
+            3m4gyHzf1XR5UGE6+ttiT3o/nWxPtR2bDVTxAe8FWQ==
+            =D+dA
+            -----END PGP MESSAGE-----
+          fp: 65BD3044771CB6FB
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1