diff --git a/modules/programs/sops.nix b/modules/programs/sops.nix
index 11e7ad1..554bbf4 100644
--- a/modules/programs/sops.nix
+++ b/modules/programs/sops.nix
@@ -46,7 +46,16 @@ in
       };
     };
 
-    config = {
+    config =
+    let
+      echo = lib.getExe' pkgs.coreutils "echo";
+      dirname = lib.getExe' pkgs.coreutils "dirname";
+      mkdir = lib.getExe' pkgs.coreutils "mkdir";
+      show-age-key = (pkgs.writeShellScriptBin "show-age-key" ''
+        ${lib.getExe' pkgs.age "age-keygen"} -y ${cfg.ageKeyFile}
+      '');
+    in
+    {
       home.packages = with pkgs; [
         eza
         age
@@ -56,21 +65,21 @@ in
           set -eu
 
           if [ ! -f "${config.ssh.IdentityFile}" ]; then
-            echo "SSH identity file not found: ${config.ssh.IdentityFile}" >&2
+            ${echo} "SSH identity file not found: ${config.ssh.IdentityFile}" >&2
             exit 1
           fi
 
           if [ -e "${cfg.ageKeyFile}" ]; then
-            echo "Refusing to overwrite existing age key file: ${cfg.ageKeyFile}" >&2
+            ${echo} "Refusing to overwrite existing age key file: ${cfg.ageKeyFile}" >&2
             exit 1
           fi
 
-          mkdir -p "$(dirname "${cfg.ageKeyFile}")"
+          ${mkdir} -p "$(${dirname} "${cfg.ageKeyFile}")"
           ${lib.getExe pkgs.ssh-to-age} -i ${config.ssh.IdentityFile} -private-key > ${cfg.ageKeyFile}
-          echo -n "Created ${cfg.ageKeyFile}: "
-          echo $(show-age-key)
+          ${echo} -n "Created ${cfg.ageKeyFile}: "
+          ${echo} $(${lib.getExe show-age-key})
         '')
-        (writeShellScriptBin "show-age-key" "${lib.getExe' pkgs.age "age-keygen"} -y ${cfg.ageKeyFile}")
+        show-age-key
         (writeShellScriptBin "ls-secrets" "${lib.getExe pkgs.eza} -alT --follow-symlinks ~/.config/sops-nix/secrets")
       ] ++ editScript;