diff --git a/modules/programs/sops.nix b/modules/programs/sops.nix
index 28e8c10..a0bb3c9 100644
--- a/modules/programs/sops.nix
+++ b/modules/programs/sops.nix
@@ -1,4 +1,4 @@
-{ inputs, ... }:
+{ self, inputs, ... }:
 let
   inputs' = inputs;  # save a reference before it's shadowed
 in
@@ -16,16 +16,9 @@ in
 
   # Define the homeModules that are used by flake-parts
   # https://flake.parts/options/home-manager.html#opt-flake.modules.homeManager
-  flake.modules.homeManager.mysops = { inputs, config, pkgs, lib, ... }:
+  flake.modules.homeManager.mysops = { config, pkgs, lib, ... }:
   let
     cfg = config.mysops;
-    sopsBin = lib.getExe pkgs.sops;
-    sopsConfigPath = ../../.sops.yaml;
-    sopsSecretsPath = ../../keys/secrets.yaml;
-
-    editScript = lib.optional (cfg.hostSecretFile != null) (pkgs.writeShellScriptBin  "edit-secrets" ''
-      ${sopsBin} --config ${sopsConfigPath} ${cfg.hostSecretFile}
-    '');
   in
   {
     imports = [
@@ -34,11 +27,6 @@ in
     ];
 
     options.mysops = {
-      ageKeyFile = lib.mkOption {
-        description = "Default location for the age key";
-        type = lib.types.str;
-        default = "${config.xdg.configHome}/sops/age/keys.txt";
-      };
       hostSecretFile = lib.mkOption {
         description = "Path to the secrets file for this host. Used to create the edit-secrets script";
         type = lib.types.nullOr lib.types.str;
@@ -47,50 +35,63 @@ in
     };
 
     config =
-    let
-      echo = lib.getExe' pkgs.coreutils "echo";
-      dirname = lib.getExe' pkgs.coreutils "dirname";
-      mkdir = lib.getExe' pkgs.coreutils "mkdir";
-      show-age-key = (pkgs.writeShellScriptBin "show-age-key" ''
-        ${lib.getExe' pkgs.age "age-keygen"} -y ${cfg.ageKeyFile}
-      '');
-    in
-    {
-      home.packages = with pkgs; [
-        age
-        sops # This is necessary to make the sops binary available
-        ssh-to-age
-        (writeShellScriptBin "gen-age-key" ''
-          set -eu
+      let
+        my-sops = (inputs.self.wrappers.mySops.apply {
+          inherit pkgs;
+          sshKey = config.ssh.identityFile;
+        }).wrapper;
+      in
+      {
+        home.packages = with pkgs; [
+          my-sops
+          (inputs.wrappers.lib.wrapPackage {
+            binName = "ls-secrets";
+            inherit pkgs;
+            package = inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-eza;
+            args = [
+              "-T" "--follow-symlinks"
+              "${config.xdg.configHome}/sops-nix/secrets"
+            ];
+          })
+          (inputs.wrappers.lib.wrapPackage {
+            binName = "edit-secrets";
+            inherit pkgs;
+            package = my-sops;
+            args = [ cfg.hostSecretFile ];
+          })
+        ];
 
-          if [ ! -f "${config.ssh.identityFile}" ]; then
-            ${echo} "SSH identity file not found: ${config.ssh.identityFile}" >&2
-            exit 1
-          fi
+        # Option definitions for the sops home-manager module:
+        # https://github.com/Mic92/sops-nix/blob/master/modules/home-manager/sops.nix
+        sops = {
+          defaultSopsFile = ../../keys/secrets.yaml;
+          defaultSopsFormat = "yaml";
+          age.sshKeyPaths = [ "${config.ssh.identityFile}" ];
+        };
+      };
+  };
 
-          if [ -e "${cfg.ageKeyFile}" ]; then
-            ${echo} "Refusing to overwrite existing age key file: ${cfg.ageKeyFile}" >&2
-            exit 1
-          fi
-
-          ${mkdir} -p "$(${dirname} "${cfg.ageKeyFile}")"
-          ${lib.getExe pkgs.ssh-to-age} -i ${config.ssh.identityFile} -private-key > ${cfg.ageKeyFile}
-          ${echo} -n "Created ${cfg.ageKeyFile}: "
-          ${echo} $(${lib.getExe show-age-key})
-        '')
-        show-age-key
-        (writeShellScriptBin "ls-secrets" "${lib.getExe pkgs.eza} -alT --follow-symlinks ~/.config/sops-nix/secrets")
-      ] ++ editScript;
-
-      home.shellAliases.sops = "${sopsBin} --config ${sopsConfigPath}";
-
-      # Option definitions for the sops home-manager module:
-      # https://github.com/Mic92/sops-nix/blob/master/modules/home-manager/sops.nix
-      sops = {
-        defaultSopsFile = sopsSecretsPath;
-        defaultSopsFormat = "yaml";
-        age.sshKeyPaths = [ "${config.ssh.identityFile}" ];
+  flake.wrappers.mySops = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
+    options = {
+      sshKey = lib.mkOption {
+        type = lib.types.str;
+        description = "String path to the SSH key to use for creating an AGE key at runtime";
       };
     };
-  };
+
+    config = {
+      # binName = "my-sops";
+      package = config.pkgs.sops;
+      extraPackages = with config.pkgs; [ coreutils ssh-to-age ];
+      preHook = ''
+        AGE_KEY=$(umask 077; mktemp)
+        ssh-to-age -private-key -i ${config.sshKey} > "$AGE_KEY"
+      '';
+      flags."--config" = "${../../.sops.yaml}";
+      postHook = ''
+        rm "$AGE_KEY"
+        echo "Removed $AGE_KEY"
+      '';
+    };
+  });
 }