{
  inputs,
  config,
  lib,
  pkgs,
  ...
}:
let
  homeKeys =
    if pkgs.stdenv.isDarwin then
      "/Users/${config.home.username}/Library/Application Support/sops/age/keys.txt"
    else
      "/home/${config.home.username}/.config/sops/age/keys.txt";
in
lib.mkMerge [
  {
    home.ensureDirs."${builtins.dirOf homeKeys}".mode = "0700";
    sops = {
      age.keyFile = "/home/user/.age-key.txt"; # must have no password!
      # deliberately not setting `defaultSopsFile` because there is no clear file-hostname-mapping. Each separate home config has to configure this explicitly.
    };
  }
  # linux machines: assumption: there is an OpenSSH server of which we are able to use the hostkey, like at the NixOS module. The `keyDir` is only used for the private admin key.
  (lib.mkIf pkgs.stdenv.isLinux {
    sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  })

  # darwin: no SSH server, no hostkey => let's use the `keyDir` key both for encryption and decrpytion
  (lib.mkIf pkgs.stdenv.isDarwin {
    sops.age.keyFile = homeKeys;
  })
]