{
  config,
  pkgs,
  lib,
  ...
}: {
  imports = let
    # replace this with an actual commit id or tag
    commit = "17eea6f3816ba6568b8c81db8a4e6ca438b30b7c";
  in [
    "${builtins.fetchTarball {
      url = "https://github.com/Mic92/sops-nix/archive/${commit}.tar.gz";
      # replace this with an actual hash
      sha256 = "ktjWTq+D5MTXQcL9N6cDZXUf9kX8JBLLBLT0ZyOTSYY=";
    }}/modules/sops"
  ];

  # This will add secrets.yml to the nix store
  # You can avoid this by adding a string to the full path instead, i.e.
  # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
  sops.defaultSopsFile = ../../secrets/mail/secrets.yaml;
  # This will automatically import SSH keys as age keys
  #sops.age.sshKeyPaths = ["/home/nixosdd/.ssh/id_ed25519"];
  # This is using an age key that is expected to already be in the filesystem
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  # This will generate a new key if the key specified above does not exist
  sops.age.generateKey = true;

  # Export individual WireGuard keys from the SOPS YAML as text secrets so they
  # are available both as strings and as files (.path)
  sops.secrets."admin-password" = {
    format = "yaml";
    sopsFile = ../../secrets/mail/secrets.yaml;
    owner = "root";
    mode = "0400";
  };

  sops.secrets."board-member-password" = {
    format = "yaml";
    sopsFile = ../../secrets/mail/secrets.yaml;
    owner = "root";
    mode = "0400";
  };

  sops.secrets."cloudflare-dns-token" = {
    format = "yaml";
    sopsFile = ../../secrets/mail/secrets.yaml;
    owner = "root";
    mode = "0444";
  };

  sops.secrets."cloudflare-username" = {
    format = "yaml";
    sopsFile = ../../secrets/mail/secrets.yaml;
    owner = "root";
    mode = "0444";
  };
}