{
  config,
  inputs,
  lib,
  pkgs,
  ...
}:
with lib; {
  imports = [
    inputs.sops-nix.nixosModules.sops
  ];

  environment.systemPackages = with pkgs; [
    sops
  ];

  sops.defaultSopsFile = ./secrets.yaml;
  sops.defaultSopsFormat = "yaml";

  sops.secrets =
    concatMapAttrs (owner: secrets:
      listToAttrs (map (s: {
          name = s;
          value = optionalAttrs (owner != "") {inherit owner;};
        })
        secrets))
    {
      "" = [
        # Cloudflared
        "cloudflared/tunnel_env"
      ];

      # Anubis
      ${config.services.anubis.defaultOptions.user} = [
        "anubis/gitea/hex_file"
        "anubis/peertube/hex_file"
        "anubis/medama/hex_file"
      ];

      # Garage
      "garage" = [
        "garage/admin_key"
        "garage/admin_secret"
        "garage/admin_token"
        "garage/metrics_token"
        "garage/rpc_secret"
      ];

      # Gitea
      ${config.services.gitea.user} = [
        "gitea/actions/token"
        "gitea/oauth2/jwt_secret"
        "gitea/security/internal_token"
        "gitea/security/secret_key"
        "gitea/server/lfs_jwt_secret"
        "gitea/storage/access_key_id"
        "gitea/storage/secret_access_key"
      ];

      # keikos.work
      ${config.services.keikos.web.user} = [
        "keiko/env_file"
      ];

      # Peertube
      ${config.services.peertube.user} = [
        "peertube/database/password"
        "peertube/environment"
        "peertube/secretsFile"
      ];

      # PostgreSQL
      ${config.users.users.postgres.name} = [
        "postgresql/initialScript"
      ];

      # Nextcloud
      ${config.services.phpfpm.pools.nextcloud.user} = [
        "nextcloud/adminpass"
        "nextcloud/s3/secret"
        "nextcloud/s3/sseC"
      ];

      # Users
      ${config.users.users."guz".name} = [
        "guz/password"
      ];
    };

  sops.age.keyFile = "/home/guz/.config/sops/age/keys.txt";
}