{ config, lib, ... }:

{
  # sops-nix reads secrets from YAML files in ./secrets
  # You will create these later.
  sops.defaultSopsFile = ../secrets/secrets.yaml;

  # Where the age key lives on target machines
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";

  # Good to have a dedicated secrets mount/dir
  systemd.tmpfiles.rules = [
    "d /var/lib/sops-nix 0700 root root - -"
  ];
}