{
  sops = {
    defaultSopsFile = ../../secrets/secrets.yaml;
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    secrets.password.neededForUsers = true;
  };

  security.sudo.wheelNeedsPassword = false;
}