{
  inputs,
  config,
  ...
}: let
  isEd25519 = k: k.type == "ed25519";
  getKeyPath = k: k.path;
  keys = builtins.filter isEd25519 config.services.openssh.hostKeys;
in {
  imports = [inputs.sops-nix.nixosModules.sops];

  sops.age = {
    sshKeyPaths = map getKeyPath keys;

    # TODO: remove? only rely on ssh or pgp keys (e.g. ubikey like misterio is using!!!)
    keyFile = "/home/julian/.config/sops/age/keys.txt";
    # Generate key if none of the above worked. With this, building will still work, just without secrets
    generateKey = true;
  };

  sops.defaultSopsFile = ../secrets.yaml;
}