{
  pkgs,
  config,
  lib,
  inputs,
  ...
}: let
  cfg = config.system.sops;
in {
  imports = [inputs.sops-nix.nixosModules.sops];

  options.system.sops = {
    enable = lib.mkEnableOption "enables sops";
  };

  config = lib.mkIf cfg.enable {
    # enable and configure sops for secrets
    sops = {
      defaultSopsFile = ../../../secrets/secrets.yaml;
      defaultSopsFormat = "yaml";
      age.keyFile = "/etc/sops/keys.txt";

      secrets = {
        "blake_passwd" = {
          owner = "root";
          group = "root";
          neededForUsers = true;
        };
      };
    };
  };
}