diff --git a/modules/hosts/janus.nix b/modules/hosts/janus.nix
index fc83555..05a9016 100644
--- a/modules/hosts/janus.nix
+++ b/modules/hosts/janus.nix
@@ -8,7 +8,7 @@ in
   flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem {
     modules = with inputs.self.modules; [
       nixos.lxc
-      nixos.sops
+      nixos.mysops
       nixos.step-ssh-host
       inputs.home-manager.nixosModules.home-manager
       nixos."${username}"
diff --git a/modules/hosts/john-pc-ubuntu.nix b/modules/hosts/john-pc-ubuntu.nix
index c860dc3..0198cac 100644
--- a/modules/hosts/john-pc-ubuntu.nix
+++ b/modules/hosts/john-pc-ubuntu.nix
@@ -18,7 +18,7 @@ in
     imports = with inputs.self.modules.homeManager; [
       rebuild
       john
-      sops
+      mysops
       step-ssh-user
       mtls
       restic
diff --git a/modules/hosts/soteria/soteria.nix b/modules/hosts/soteria/soteria.nix
index ab69c3e..83c3d5c 100644
--- a/modules/hosts/soteria/soteria.nix
+++ b/modules/hosts/soteria/soteria.nix
@@ -8,7 +8,7 @@ in
   flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem {
     modules = with inputs.self.modules; [
       nixos.lxc
-      nixos.sops
+      nixos.mysops
       nixos.step-ssh-host
       inputs.home-manager.nixosModules.home-manager
       nixos."${username}"
@@ -66,8 +66,6 @@ in
 
         home-manager.users."${username}" = {
           imports = with inputs.self.modules; [
-            homeManager.sops
-            homeManager.step-ssh-user
             homeManager"${hostname}"
           ];
         };
@@ -76,16 +74,18 @@ in
   };
 
   flake.modules.homeManager."${hostname}" = { config, ... }: {
-    imports = with inputs.self.modules.homeManager; [
-      rebuild
-      sops
-      mtls
+    imports = with inputs.self.modules; [
+      homeManager.rebuild
+      homeManager.mysops
+      homeManager.mtls
     ];
 
     homeManagerFlakeDir = "${config.xdg.configHome}/home-manager";
     home.username = "${username}";
     home.homeDirectory = "/home/${username}";
     shell.program = "zsh";
+
+    mysops.hostSecretFile = "${config.xdg.configHome}/home-manager/modules/hosts/soteria/secrets.yaml";
   };
 
   flake.homeConfigurations."${hostname}" = inputs.home-manager.lib.homeManagerConfiguration {
diff --git a/modules/hosts/test-nix.nix b/modules/hosts/test-nix.nix
index 57c915f..9152b9b 100644
--- a/modules/hosts/test-nix.nix
+++ b/modules/hosts/test-nix.nix
@@ -7,7 +7,7 @@ in
   flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem {
     modules = with inputs.self.modules; [
       nixos.lxc
-      nixos.sops
+      nixos.mysops
       nixos.step-ssh-host
       inputs.home-manager.nixosModules.home-manager
       nixos."${username}"
diff --git a/modules/programs/sops.nix b/modules/programs/sops.nix
index 8e5fb94..7698f2b 100644
--- a/modules/programs/sops.nix
+++ b/modules/programs/sops.nix
@@ -10,51 +10,81 @@ in
     sops-nix.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  flake.modules.nixos.sops = {
+  flake.modules.nixos.mysops = {
     imports = [ inputs.sops-nix.nixosModules.sops ];
     # sops.defaultSopsFile = ../../keys/secrets.yaml;
   };
 
   # Define the homeModules that are used by flake-parts
   # https://flake.parts/options/home-manager.html#opt-flake.modules.homeManager
-  flake.modules.homeManager.sops = { inputs, config, pkgs, lib, ... }:
+  flake.modules.homeManager.mysops = { inputs, config, pkgs, lib, ... }:
   let
+    cfg = config.mysops;
     sopsBin = lib.getExe pkgs.sops;
     sopsConfigPath = ../../.sops.yaml;
     sopsSecretsPath = ../../keys/secrets.yaml;
-    ageKeyFile = "${config.xdg.configHome}/sops/age/keys.txt";
     flakeDir = "${config.xdg.configHome}/home-manager/jsl-dendritic";
   in
   {
-    home.packages = with pkgs; [
-      eza
-      age
-      sops # This is necessary to make the sops binary available
-      ssh-to-age
-      (writeShellScriptBin "gen-age-key" ''
-        mkdir -p "${config.xdg.configHome}/sops/age"
-        ${lib.getExe pkgs.ssh-to-age} -i ${config.ssh.IdentityFile} -private-key > ${ageKeyFile}
-        echo -n "Created ${ageKeyFile}: "
-        echo $(show-age-key)
-      '')
-      (writeShellScriptBin "show-age-key" "${lib.getExe' pkgs.age "age-keygen"} -y ${ageKeyFile}")
-      (writeShellScriptBin "edit-secrets" "${sopsBin} --config ${sopsConfigPath} ${flakeDir}/keys/secrets.yaml")
-      (writeShellScriptBin "ls-secrets" "${lib.getExe pkgs.eza} -alT --follow-symlinks ~/.config/sops-nix/secrets")
-    ];
-
-    home.shellAliases.sops = "${sopsBin} --config ${sopsConfigPath}";
-
     imports = [
       # This import makes the sops config attribute available below
       inputs'.sops-nix.homeManagerModules.sops
     ];
 
-    # Option definitions for the sops home-manager module:
-    # https://github.com/Mic92/sops-nix/blob/master/modules/home-manager/sops.nix
-    sops = {
-      # defaultSopsFile = sopsSecretsPath;
-      defaultSopsFormat = "yaml";
-      age.sshKeyPaths = [ "${config.ssh.IdentityFile}" ];
+    options.mysops = {
+      enable = lib.mkEnableOption "Customized SOPS tools";
+      ageKeyFile = lib.mkOption {
+        description = "Default location for the age key";
+        type = lib.types.str;
+        default = "${config.xdg.configHome}/sops/age/keys.txt";
+      };
+      hostSecretFile = lib.mkOption {
+        description = "Path to the secrets file for this host";
+        type = lib.types.nullOr lib.types.str;
+        default = null;
+      };
+    };
+
+    config = {
+      home.packages = with pkgs; [
+        eza
+        age
+        sops # This is necessary to make the sops binary available
+        ssh-to-age
+        (writeShellScriptBin "gen-age-key" ''
+          set -eu
+
+          if [ ! -f "${config.ssh.IdentityFile}" ]; then
+            echo "SSH identity file not found: ${config.ssh.IdentityFile}" >&2
+            exit 1
+          fi
+
+          if [ -e "${cfg.ageKeyFile}" ]; then
+            echo "Refusing to overwrite existing age key file: ${cfg.ageKeyFile}" >&2
+            exit 1
+          fi
+
+          mkdir -p "$(dirname "${cfg.ageKeyFile}")"
+          ${lib.getExe pkgs.ssh-to-age} -i ${config.ssh.IdentityFile} -private-key > ${cfg.ageKeyFile}
+          echo -n "Created ${cfg.ageKeyFile}: "
+          echo $(show-age-key)
+        '')
+        (writeShellScriptBin "show-age-key" "${lib.getExe' pkgs.age "age-keygen"} -y ${cfg.ageKeyFile}")
+        (writeShellScriptBin "ls-secrets" "${lib.getExe pkgs.eza} -alT --follow-symlinks ~/.config/sops-nix/secrets")
+      ] ++ lib.optional (cfg.hostSecretFile != null) (writeShellScriptBin "edit-secrets" ''
+        set -e
+        ${sopsBin} --config ${sopsConfigPath} ${cfg.hostSecretFile}
+      '');
+
+      home.shellAliases.sops = "${sopsBin} --config ${sopsConfigPath}";
+
+      # Option definitions for the sops home-manager module:
+      # https://github.com/Mic92/sops-nix/blob/master/modules/home-manager/sops.nix
+      sops = {
+        # defaultSopsFile = sopsSecretsPath;
+        defaultSopsFormat = "yaml";
+        age.sshKeyPaths = [ "${config.ssh.IdentityFile}" ];
+      };
     };
   };
 }