{
  config,
  lib,
  pkgs,
  ...
}: {
  # SOPS configuration
  sops = {
    age.keyFile = "/run/keys/age.key";
    defaultSopsFile = ./secrets.yaml;

    # Define secrets that all systems need
    secrets = {
      # SSH keys
      # "ssh/plasmagoat_private_key" = {
      #   owner = "plasmagoat";
      #   mode = "0600";
      #   path = "/home/plasmagoat/.ssh/id_rsa";
      # };

      # # Age key for the system
      # "age/system_key" = {
      #   mode = "0600";
      #   path = "/run/keys/age.key";
      # };

      # # Backup credentials
      # "backup/restic_password" = {
      #   path = "/etc/backup/restic-password";
      #   mode = "0600";
      # };
    };
  };

  # Deployment keys for colmena
  deployment.keys = {
    "age.key" = {
      destDir = "/run/keys";
      keyFile = "/home/plasmagoat/.config/age/age.key"; # Your local age key
    };
  };
}