{
  lib,
  inputs,
  config,
  ...
}: let
  secretsDirectory = builtins.toString inputs.nix-secrets;
  secretsFile = "${secretsDirectory}/secrets.yaml";
  hasOptinPersistence = config.environment.persistence ? "/persist";
in {
  imports = [
    inputs.sops-nix.nixosModules.sops
  ];

  sops = {
    defaultSopsFile = "${secretsFile}";
    validateSopsFiles = false;

    age = {
      sshKeyPaths = ["${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key"];
    };
    secrets = {
      "passwords/root".neededForUsers = true;
      "ssh_keys/deploy_key/id_ed25519" = {
        path = "/etc/ssh/deploy_key-ssh-ed25519";
      };
    };
  };
}