{
  sops,
  instanceConfigs,
  writeScriptBin,
  writeText,
  lib,
  ...
}:
with lib;
let
  adminKeys = [
    "0D98D5964AC8BB1CA034CE4EC456133700066642" # xyno main gpg key
  ];
  keysPerHost = (
    mapAttrs (n: v: (toList v.sopsKey)) (filterAttrs (n: v: v ? sopsKey) instanceConfigs)
  );
  desktopHostNames = [ "theseus" ];

  hostKeys = flatten (attrValues keysPerHost);
  desktopKeys = flatten (
    attrValues (filterAttrs (n: v: any (x: x == n) desktopHostNames) keysPerHost)
  );

  sopsCfg = {
    keys = adminKeys ++ hostKeys;
    creation_rules = [
      {
        path_regex = "secrets/[^/]+\.(yaml|json|env|ini)$";
        key_groups = [ { pgp = adminKeys ++ hostKeys; } ];
      }
      {
        path_regex = "secrets/desktop/[^/]+\.(yaml|json|env|ini)$";
        key_groups = [ { pgp = adminKeys ++ desktopKeys; } ];
      }
    ]
    ++ (mapAttrsToList (n: v: {
      # path_regex = "instances/${n}/secrets/[^/]+\.(yaml|json|env|ini)$";
      path_regex = "instances/${n}/secrets/[^/]+\.(yaml|json|env|ini)$";
      key_groups = [ { pgp = adminKeys ++ v; } ];

    }) keysPerHost);
  };
  sopsCfgFile = writeText ".sops.yaml" (builtins.toJSON sopsCfg);

in
sopsCfgFile