{
  inputs,
  username,
  ...
}:
let
  secretsPath = builtins.toString inputs.mysecrets;
in
{
  sops = {
    defaultSopsFile = "${secretsPath}/secrets.yaml";
    age = {
      sshKeyPaths = [
        "/etc/ssh/ssh_host_ed25519_key"
      ];
      keyFile = "/var/lib/sops-nix/key.txt";
      generateKey = true;
    };

    secrets = {
      "ldap_password/beastie" = {
      };
      "users_password/beastie" = {
        neededForUsers = true;
      };
      "ssh_keys/default_pub" = {
        owner = "${username}";
        mode = "0644";
        path = "/home/${username}/.ssh/id_ed25519.pub";
      };
      "ssh_keys/default_priv" = {
        owner = "${username}";
        mode = "0600";
        path = "/home/${username}/.ssh/id_ed25519";
      };
      "ssh_keys/ansible_pub" = {
        owner = "${username}";
        mode = "0644";
        path = "/home/${username}/.ssh/id_ed25519_ansible.pub";
      };
      "ssh_keys/ansible_priv" = {
        owner = "${username}";
        mode = "0600";
        path = "/home/${username}/.ssh/id_ed25519_ansible";
      };
      "ssh_keys/beastie_pub" = {
        owner = "${username}";
        mode = "0644";
        path = "/home/${username}/.ssh/id_ed25519_beastie.pub";
      };
      "ssh_keys/beastie_priv" = {
        owner = "${username}";
        mode = "0600";
        path = "/home/${username}/.ssh/id_ed25519_beastie";
      };
      "ssh_keys/gitea_semaphore_pub" = {
        owner = "${username}";
        mode = "0644";
        path = "/home/${username}/.ssh/id_ed25519_gitea_semaphore.pub";
      };
      "ssh_keys/gitea_semaphore_priv" = {
        owner = "${username}";
        mode = "0600";
        path = "/home/${username}/.ssh/id_ed25519_gitea_semaphore";
      };
    };
  };
}