feat: use private sops repo for secrets

devices/oksys/modules/caddy.nix

@@ -5,14 +5,14 @@
   ...
 }: let
   caddy = caddy-plugins.packages.${pkgs.system}.default;
-
-  # TODO: use agenix?
-  verySecretToken = "TODO";
 in {
   imports = [caddy-plugins.nixosModules.default];
   environment.systemPackages = [caddy];
   users.users.${config.vars.user}.extraGroups = ["caddy"];
 
+  systemd.services.caddy.serviceConfig.EnvironmentFile =
+    config.sops.secrets.caddy-cloudflare.path;
+
   services.caddy = {
     enable = true;
     enableReload = false;
@@ -28,7 +28,7 @@ in {
         serverAliases = ["*.nelim.org"];
         extraConfig = ''
            tls {
-             dns cloudflare ${verySecretToken}
+             dns cloudflare {$TLS}
              resolvers 1.0.0.1
           }
         '';