Use agenix to decrypt access-token for nix.conf securely?

[sheeeng]

The documentation indicates we should avoid builtins.readFile anti-pattern as the encrypted plain-text secrets to be placed into the world-readable Nix store.

# home.nix
nix = {
  settings = rec {
    access-tokens = "github.com=${config.age.secrets."nix-configuration-github-token".path}"; # https://nix.dev/manual/nix/2.25/command-ref/conf-file.html#conf-access-tokens
  };
};
# age.nix
  age = {
    secretsDir = "${config.home.homeDirectory}/.agenix/agenix"; # Defaults to /run/agenix directory. # https://github.com/ryantm/agenix?tab=readme-ov-file#agesecretsdir
    secretsMountPoint = "${config.home.homeDirectory}/.agenix/agenix.d"; # Defaults to /run/agenix.d directory. # https://github.com/ryantm/agenix?tab=readme-ov-file#agesecretsmountpoint
  };

The above code builds the following configuration correctly.

access-tokens = github.com=/Users/leonardlee/.agenix/agenix/nix-configuration-github-token

$ > ls --all --long --numeric ~/.config/nix/nix.conf
lrwxr-xr-x@ - 501 2024-12-19 15:42 /Users/leonardlee/.config/nix/nix.conf -> /nix/store/6w72mnmal83cgqbfwq2918dm46aph39r-home-manager-files/.config/nix/nix.conf

How can we read the file content of the unencrypted token securely, as shown below?

access-tokens = github.com=ghp_000000000000000000000000000000000000

Appreciate any helpful suggestions.