feat: install sops cli

modules/aspects/system-packages.nix

@@ -7,6 +7,7 @@
         git
         neovim
         just
+        sops
         tree
         fastfetchMinimal
       ];

secrets/README.md

@@ -9,18 +9,13 @@ aspect. Do not commit plaintext secrets.
 - SOPS rules: `.sops.yaml`
 - Age key file: `~/.config/sops/age/keys.txt`
 - Environment variable: `SOPS_AGE_KEY_FILE`, exported by the `secrets` aspect
+- SOPS CLI: installed by the system packages aspect
 - Secret declarations: `modules/aspects/_secrets/sops.nix`
 - SSH host wiring: `modules/aspects/_ssh/ssh.nix`
 
 ## Add An SSH Private Key
 
-From the repository root, open a shell with `sops` and `age`:
+From the repository root, open the encrypted secret file:
-
-```bash
-nix-shell -p sops age
-```
-
-Open the encrypted secret file with the age key:
 
 ```bash
 sops secrets/poby.yaml
@@ -46,6 +41,13 @@ file explicitly for the command:
 SOPS_AGE_KEY_FILE="$HOME/.config/sops/age/keys.txt" sops secrets/poby.yaml
 ```
 
+If the system package set has not been applied yet, run the command from a
+temporary shell with `sops`:
+
+```bash
+nix-shell -p sops --run 'sops secrets/poby.yaml'
+```
+
 ## Generate A New SSH Key First
 
 If the key does not exist yet, generate it before opening SOPS: