{
  config,
  inputs,
  lib,
  pkgs,
  ...
}:
with lib; {
  imports = [
    inputs.sops-nix.nixosModules.sops
  ];

  environment.systemPackages = with pkgs; [
    sops
  ];

  sops.defaultSopsFile = ./secrets.yaml;
  sops.defaultSopsFormat = "yaml";

  sops.secrets =
    concatMapAttrs (owner: secrets:
      listToAttrs (map (s: {
          name = s;
          value = optionalAttrs (owner != "") {inherit owner;};
        })
        secrets))
    {
      "" = [
        # Cloudflared
        "cloudflared/tunnel_env"
      ];

      # Anubis
      ${config.services.anubis.defaultOptions.user} = [
        "anubis/forgejo/hex_file"
        "anubis/medama/hex_file"
      ];

      # Forgejo
      ${config.services.forgejo.user} = [
        "forgejo/actions/token"
        "forgejo/git_password"
        "forgejo/s3/key"
        "forgejo/s3/secret"
      ];

      # Garage
      "garage" = [
        "garage/admin_key"
        "garage/admin_secret"
        "garage/admin_token"
        "garage/metrics_token"
        "garage/rpc_secret"
      ];


      # keikos.work
      ${config.services.keikos.web.user} = [
        "keiko/env_file"
      ];

      # Nextcloud
      ${config.services.phpfpm.pools.nextcloud.user} = [
        "nextcloud/adminpass"
        "nextcloud/s3/secret"
        "nextcloud/s3/sseC"
      ];

      # Users
      ${config.users.users."guz".name} = [
        "guz/password"
      ];
    };

  sops.age.keyFile = "/home/guz/.config/sops/age/keys.txt";
}