{
  config,
  inputs,
  ...
}: let
  s = inputs.mysecrets;
  # TODO: stop relying on networking.hostName
  hostname = "sarien";
  sopsFile = "${s}/hosts/${hostname}.yaml";
in {
  imports = with inputs; [
    sops-nix.nixosModules.sops
  ];

  sops = {
    age = {
      sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
      keyFile = "/var/lib/sops-nix/key.txt";
      generateKey = true;
    };
    defaultSopsFile = "${s}/common.yaml";
    secrets = {
      "user-password-hashed".neededForUsers = true;
      "ssh-config" = {
        path = "/home/user/.ssh/config";
        mode = "0400";
        owner = "user";
      };
      "ssh-${hostname}-user" = {
        inherit sopsFile;
        path = "/home/user/.ssh/id_ed25519";
        mode = "0400";
        owner = "user";
      };
      "ssh-${hostname}-user.pub" = {
        inherit sopsFile;
        path = "/home/user/.ssh/id_ed25519.pub";
        mode = "0400";
        owner = "user";
      };
      "ssh-unexplrd" = {
        path = "/home/user/.ssh/id_unexplrd_ed25519";
        mode = "0400";
        owner = "user";
      };
      "ssh-unexplrd.pub" = {
        path = "/home/user/.ssh/id_unexplrd_ed25519.pub";
        mode = "0400";
        owner = "user";
      };
      "ssh-uni" = {
        path = "/home/user/.ssh/id_uni_ed25519";
        mode = "0400";
        owner = "user";
      };
      "ssh-uni.pub" = {
        path = "/home/user/.ssh/id_uni_ed25519.pub";
        mode = "0400";
        owner = "user";
      };
    };
  };
}