{
  lib,
  config,
  pkgs,
  ...
}:
{
  sops = {
    age.keyFile = "/Users/os/Library/Application Support/sops/age/keys.txt";
    age.sshKeyPaths = lib.mkForce [ ]; # no host keys
    gnupg.sshKeyPaths = lib.mkForce [ ]; # no host keys
    defaultSopsFile = lib.mkDefault ./secrets.yaml;
    defaultSopsFormat = "yaml"; # is the default. ini had some template rendering issues in practice
  };
}