{
  config,
  inputs,
  lib,
  ...
}:
{
  sops = {
    secrets = {
      "git/credentials/github.com/tokens/public".sopsFile =
        "${inputs.secrets}/domains/personal/secrets.yaml";

      "nix/cache/nix.karaolidis.com".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
    };

    templates = {
      nix-access-tokens = {
        content = ''
          access-tokens = github.com=${config.sops.placeholder."git/credentials/github.com/tokens/public"}
        '';
        group = "users";
        mode = "0440";
      };

      nix-netrc = {
        content = ''
          machine nix.karaolidis.com
          password ${config.sops.placeholder."nix/cache/nix.karaolidis.com"}
        '';
        group = "users";
        mode = "0440";
      };
    };
  };

  nix = {
    settings = {
      trusted-users = lib.mkAfter [ "@wheel" ];
      use-xdg-base-directories = true;
      experimental-features = [
        "nix-command"
        "flakes"
      ];
      download-buffer-size = 524288000;
      substituters = lib.mkBefore [ "https://nix.karaolidis.com/main" ];
      trusted-public-keys = lib.mkBefore [ "main:nJVRBnv73MDkwuV5sgm52m4E2ImOhWHvY12qzjPegAk=" ];
      netrc-file = config.sops.templates.nix-netrc.path;
    };

    channel.enable = false;

    gc.automatic = true;
    optimise.automatic = true;

    registry.self.flake = inputs.self;

    extraOptions = ''
      !include ${config.sops.templates.nix-access-tokens.path}
    '';
  };
}