{
  sops = {
    defaultSopsFile = ../keys/production.yaml;

    secrets = {
      # Gitea
      "forgejo/metrics-token" = {
        owner = "forgejo";
        group = "metrics";
        mode = "0440";
      };

      # Grafana
      "grafana/adminPassword" = {
        owner = "grafana";
        group = "grafana";
      };
      "grafana/secretKey" = {
        owner = "grafana";
        group = "grafana";
      };

      # Heisenbridge
      "heisenbridge/as-token" = {};
      "heisenbridge/hs-token" = {};

      # Nextcloud
      "nextcloud/tlater" = {
        owner = "nextcloud";
        group = "nextcloud";
      };

      # Restic
      "restic/local-backups" = {
        owner = "root";
        group = "backup";
        mode = "0440";
      };

      # Steam
      "steam/tlater" = {};

      # Turn
      "turn/env" = {};
      "turn/secret" = {
        owner = "turnserver";
      };
      "turn/ssl-key" = {
        owner = "turnserver";
      };
      "turn/ssl-cert" = {
        owner = "turnserver";
      };

      # Wireguard
      "wireguard/server-key" = {
        owner = "root";
        group = "systemd-network";
        mode = "0440";
      };
    };
  };
}