{
  config,
  pkgs,
  outputs,
  ...
}:

{
  imports = [
    outputs.nixosModules.sops
  ];

  sops = {
    defaultSopsFile = ../secrets.yaml;
    # age.keyFile is not set, sops-nix defaults to using /etc/ssh/ssh_host_ed25519_key
    secrets = {
      "forgejo-runner/token" = { };
      "tailscale/auth-key" = { };
    };
  };
}