{ sops-nix, ... }:
{
  universal.modules = [
    sops-nix.nixosModules.sops
    {
      sops.defaultSopsFile = ./secrets.yaml;
      sops.defaultSopsFormat = "yaml";

      # sync ~/.ssh/sops out-of-band
      # ssh-to-age -private-key -i ~/.ssh/sops > ~/.config/sops/age/keys.txt
      sops.age.keyFile = "/home/emv/.config/sops/age/keys.txt";
    }
    (
      { config, ... }:
      {
        sops.secrets.wireguard-private-key = {
          key = "wireguard-private-keys/${config.networking.hostName}";
        };
      }
    )
    ({
      sops.secrets.remote-build-ssh-privkey = { };
    })
  ];
  aspartame.modules = [
    (
      { config, ... }:
      {
        sops.secrets.gts_db_pass = { };
        sops.templates."gts.env.secrets.yaml".content = ''
          GTS_DB_PASSWORD=${config.sops.placeholder."gts_db_pass"}
        '';
      }
    )
  ];
  sucrose.modules = [
    ({config, ...}: {
      sops.secrets.forgejo_runner_glucose_token = { };
      sops.secrets.forgejo_runner_fructose_token = { }; # fuck it, i'll do it like this
      sops.templates."forgejo_runner.env.secrets.yaml".content = ''
        TOKEN=${config.sops.placeholder."forgejo_runner_${config.networking.hostName}_token"}
      '';
    })
  ];
  glucose.modules = [
    ({
      sops.secrets.binary_cache_secret = { };
    })
    (
      { config, ... }:
      {
        sops.secrets.couchdb_admin_pass = { };
        sops.secrets.couchdb_admin_account = { };
        sops.templates."couchdb.env.secrets.yaml".content = ''
          COUCHDB_PASSWORD="${config.sops.placeholder."couchdb_admin_pass"}"
          COUCHDB_USER="${config.sops.placeholder."couchdb_admin_account"}"
        '';
      }
    )
    (
      { config, ... }:
      {
        sops.secrets.murmur_login_password = { };
        sops.secrets.murmur_welcome_message = { };
        sops.templates."murmur.env.secrets.yaml".content = ''
          MURMUR_LOGIN_PASSWORD="${config.sops.placeholder."murmur_login_password"}"
          MURMUR_WELCOME_MESSAGE="${config.sops.placeholder."murmur_welcome_message"}"
        '';
      }
    )
  ];
  fructose.modules = [
    (
      { config, ... }:
      {
        sops.secrets.pihole_webpassword = { };
        sops.templates."pihole.env.secrets.yaml".content = ''
          WEBPASSWORD="${config.sops.placeholder."pihole_webpassword"}"
        '';
      }
    )
    (
      { config, ... }:
      {
        sops.secrets.postgresdb_admin_password = { };
        sops.secrets.forgejo_db_pass = { };
        sops.templates."postgresdb.env.secrets.yaml".content = ''
          POSTGRES_PASSWORD=${config.sops.placeholder."postgresdb_admin_password"}
        '';
      }
    )
  ];
  personal.modules = [
    (
      { config, ... }:
      {
        sops.secrets.home1_ssid = { };
        sops.secrets.home1_psk = { };
        sops.secrets.home2_ssid = { };
        sops.secrets.home2_psk = { };
        sops.secrets.phone_ssid = { };
        sops.secrets.phone_psk = { };
        sops.templates."networkmanager.env.secrets.yaml".content = ''
          HOME1_SSID="${config.sops.placeholder."home1_ssid"}"
          HOME2_SSID="${config.sops.placeholder."home2_ssid"}"
          PHONE_HOTSPOT_SSID="${config.sops.placeholder."phone_ssid"}"
          HOME1_PSK="${config.sops.placeholder."home1_psk"}"
          HOME2_PSK="${config.sops.placeholder."home2_psk"}"
          PHONE_HOTSPOT_PSK="${config.sops.placeholder."phone_psk"}"
        '';
      }
    )
  ];
  universal.home_modules = [
    (
      { pkgs, ... }:
      {
        home.packages = with pkgs; [
          sops
          age
        ];
      }
    )
  ];
}