{
  sops = {
    defaultSopsFile = ../keys/production.yaml;

    secrets = {
      # Heisenbridge
      "heisenbridge/as-token" = {};
      "heisenbridge/hs-token" = {};

      # Nextcloud
      "nextcloud/tlater" = {
        owner = "nextcloud";
        group = "nextcloud";
      };

      # Restic
      "restic/local-backups" = {
        owner = "root";
        group = "backup";
        mode = "0440";
      };

      # Steam
      "steam/tlater" = {};

      # Turn
      "turn/env" = {};
      "turn/secret" = {
        owner = "turnserver";
      };
      "turn/ssl-key" = {
        owner = "turnserver";
      };
      "turn/ssl-cert" = {
        owner = "turnserver";
      };

      # Wireguard
      "wireguard/server-key" = {
        owner = "root";
        group = "systemd-network";
        mode = "0440";
      };
    };
  };
}