Minimally invasive safe secret provisioning to Nix-generated service config files
First public release. Should be considered public and experimental.