diff --git a/home/hosts/eris.nix b/home/hosts/eris.nix
index c0d2125..c5c55c0 100644
--- a/home/hosts/eris.nix
+++ b/home/hosts/eris.nix
@@ -12,6 +12,7 @@
     ../modules/vscode.nix
     ../modules/gnome-dconf.nix
     ../modules/ssh.nix
+    ../modules/nix-config.nix
   ];
 
   home.packages = with pkgs;[
diff --git a/home/hosts/hypnos.nix b/home/hosts/hypnos.nix
index c2c800c..0842fea 100644
--- a/home/hosts/hypnos.nix
+++ b/home/hosts/hypnos.nix
@@ -15,6 +15,7 @@
     ../modules/zsh.nix
     ../modules/llm.nix
     ../modules/ssh.nix
+    ../modules/nix-config.nix
     ../modules/atuin.nix
     ../modules/git.nix
   ];
diff --git a/home/modules/nix-config.nix b/home/modules/nix-config.nix
new file mode 100644
index 0000000..d3a800d
--- /dev/null
+++ b/home/modules/nix-config.nix
@@ -0,0 +1,21 @@
+{ config, lib, ... }:
+let
+  nixConfDir = "${config.home.homeDirectory}/.config/nix";
+in
+{
+  home.activation.nixConfDir = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
+    mkdir -p "${nixConfDir}"
+  '';
+
+  sops.secrets."github-pat" = {
+    sopsFile = ../../secrets/github.yaml;
+  };
+
+  sops.templates."nix.conf" = {
+    path = "${nixConfDir}/nix.conf";
+    mode = "600";
+    content = ''
+      access-tokens = github.com=${config.sops.placeholder."github-pat"}
+    '';
+  };
+}
diff --git a/secrets/github.yaml b/secrets/github.yaml
new file mode 100644
index 0000000..8b29732
--- /dev/null
+++ b/secrets/github.yaml
@@ -0,0 +1,16 @@
+github-pat: ENC[AES256_GCM,data:V4oqfTKlPP8X4FJ+DmWkmZ7L66HxG5PC1DfG/Fn6hatlOn9CYidDNQ==,iv:nJphrY43CpT1oxRBjSylM+MV92lC9ik1oCYiprEcJss=,tag:g3gjjFLDzEgs+JrNynl2OQ==,type:str]
+sops:
+    age:
+        - recipient: age1nlta6ek2fsre42g38ytwg3fxtra4h444psd7g986md0gzmvv6d5qqlwwjy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVOFY0Yi9kZzdIdUg3eTY3
+            SW9JNmFHVWhDRUJ4YnEvSk1VQnI5aGFwOXdJCjRJdGlkd3dBT3ByeFppM1FTWmZj
+            L1dZRCtxT3Z0cUJUV1RpS1lSN2lMeHcKLS0tIHhJWXFXdVlGMlVaa3QyNlBhUHUx
+            aEZ0cnpEVFl4TmljbS9rQmFabFhCelEKyhroEPgFcg8L9Nhdz1R9Dk31OIUN6Sni
+            5UrBfKg7q279oQtBqlw5jFIR4gvQQ9aPkSAZA6GvhGpqx8aJkBaFig==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-10T00:29:08Z"
+    mac: ENC[AES256_GCM,data:Zxl1kRsnOehtlOfjSeM09GJeFMnnQ0lYOYro7D62acPXn09OgIUzCaSEvqcwVRGwcJNOprF+ahgv1GYEK109gZznNxw513y1wmCNTRu42tsRaQx/6Clt1SgqvzRJok1/ojEjt9wzw7ANKsCK3FIWbVN0m5Cxei1vcpgs80SNCoA=,iv:tsNhhP+9aKvL7tr2zI/I5Y/lkfFhHEBrD32WIipBKtU=,tag:ucg3HEQNoTCWlP9QaCAw/g==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0