add pass plugin to read secrets from password store

extra-builtins.nix

@@ -0,0 +1,3 @@
+{ exec, ... }: {
+  pass = name: exec [./nix-pass.sh name];
+}

nix-pass.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+# nix-pass.sh
+
+set -euo pipefail
+
+f=$(mktemp)
+trap "rm $f" EXIT
+pass show "$1" | head -c -1 > $f
+nix-instantiate --eval -E "builtins.readFile $f"