{ inputs, ... }:
{
  flake.modules.nixos.base =
    { config, lib, ... }:
    {
      imports = [ inputs.sops-nix.nixosModules.sops ];

      sops = {
        defaultSopsFile = ./secrets.yaml;
        # Cannot use `/etc/host/` directly because then it will not load
        # the secrets that are marked `neededForUsers` correctly.
        age.sshKeyPaths = [ "${config.infra.persist.dir}/etc/ssh/ssh_host_ed25519_key" ];
      };

      virtualisation.vmVariant = {
        # Use the age key from the host (my development machine) to decrypt
        # in the VMs.
        #
        # TODO: Rework this to use the host SSH key instead.
        virtualisation.sharedDirectories.host-age = {
          source = "/home/vkcku/.config/sops/age";
          target = "/run/sops/age";
        };

        sops.age.keyFile = lib.mkForce "/run/sops/age/keys.txt";
      };
    };
}