{
  config,
  pkgs,
  outputs,
  ...
}:

{
  imports = [
    outputs.nixosModules.sops
  ];

  sops = {
    defaultSopsFile = ../secrets.yaml;
    # age.keyFile is not set, sops-nix defaults to using /etc/ssh/ssh_host_ed25519_key

    # Secrets fuer Stufe-2-Services werden in deren eigenen Dateien definiert:
    # forgejo-runner/token -> forgejo-runner.nix
    # tailscale/auth-key   -> tailscale.nix (via Modul)
  };
}