base/secrets: add tmpfiles rules for creating key storage file

base/secrets.nix

@@ -8,11 +8,19 @@
 }:
 
 with lib;
-
+let
+  ageKeyDir = "/var/lib/sops";
+  ageKeyFile = "${sopsDir}/keys.txt";
+in
 {
   imports = [ inputs.sops-nix.nixosModules.sops ];
 
+  systemd.tmpfiles.rules = [
+    "d ${ageKeyDir} 0700 root root -"
+    "C ${ageKeyFile} 0400 root root -"
+  ];
+
   sops.defaultSopsFile = ../secrets/${config.networking.hostName}.yml;
   sops.defaultSopsFormat = "yaml";
-  sops.age.keyFile = "/var/lib/sops/age/keys.txt";
+  sops.age.keyFile = ageKeyFile;
 }