{
  inputs,
  config,
  lib,
  pkgs,
  ...
}:
let
  homeKeys =
    if pkgs.stdenv.isDarwin then
      "/Users/${config.home.username}/Library/Application Support/sops/age/keys.txt"
    else
      "/home/${config.home.username}/.config/sops/age/keys.txt";
in
{
  home.ensureDirs."${builtins.dirOf homeKeys}".mode = "0700";
  sops = {
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    # deliberately not setting `defaultSopsFile` because there is no clear file-hostname-mapping. Each separate home config has to configure this explicitly.
  };
}