{config, ...}: {
  security.doas = {
    enable = true;
    extraRules = [
      {
        groups = ["wheel"];
        persist = true;
      }
      {
        groups = ["wheel"];
        noPass = true;
        cmd = "journalctl";
      }
    ];
  };
  security.polkit.enable = true;
  services.physlock = {
    enable = true;
    allowAnyUser = true;
  };
  sops.defaultSopsFile = ../secrets/secrets.yaml;
  sops.defaultSopsFormat = "yaml";
  sops.age.keyFile = "/home/ahnwuoa/.config/sops/age/keys.txt";
  sops.secrets = {
    passwd = {};
    root-passwd = {};
    pool-credentials = {
      uid = 1000;
    };
    porkbun-credentials = {};
  };
  users.users.root.hashedPasswordFile = config.sops.secrets.root-passwd.path;
}