Problems:

• When a token specified in access-tokens in nix.conf expires, updating NixOS configs to use the new token becomes a pain because nixos-rebuild wants to fetch data from the GitHub API using the expired token, which fails.
• Tokens stored in secrets, so we can't read as string into Nix configs.
• Tokens secrets must be prefixed with access-tokens = github.com=

Possible Solutions:

• Set environment variable before running nixos-rebuild
• nixos-rebuild CLI flag/option to specify one of:
  • new token directly?
  • nix.conf option access-tokens
  • nix.conf to run command with?

Module: nixosModules.git-tokens

• Specify tokens, with their expiration date
• Service to periodically test access-tokens for expiration/revocation before expiration date
• Command/package to update access-tokens automatically. Terranix?
• Activation script to warn user of upcoming expiration

Module: flakeModules.git-repo-self

• Specify upstream git repo for flake.
• Specify username on git forge.
• Add/use repo secrets on GitHub / git forges
• Wrap nixosConfigurations with configs to use the tokens/secrets.