{
  config,
  lib,
  pkgs,
  user,
  ...
}:
let
  home-dir = config.hm.home.homeDirectory;
in
{
  options.custom = with lib; {
    sops.enable = mkEnableOption "sops" // {
      default = true;
    };
  };

  config = lib.mkIf config.custom.sops.enable {
    environment.systemPackages = with pkgs; [
      sops
    ];

    sops = {
      defaultSopsFile = ../hosts/secrets.yaml;
      defaultSopsFormat = "yaml";

      # use full path to persist as the secrets activation script runs at the start
      # of stage 2 boot before impermanence
      gnupg.sshKeyPaths = [ ];

      age = {
        sshKeyPaths = [ "${home-dir}/.ssh/id_ed25519" ];
        keyFile = "${home-dir}/.config/sops/age/keys.txt";
        # This will generate a new key if the key specified above does not exist
        generateKey = false;
      };
    };
  };
}