[Unit]
Description=Decrypt SOPS secrets before Docker starts
DefaultDependencies=no
Before=docker.service
Wants=network-online.target
After=network-online.target

[Service]
Type=oneshot
WorkingDirectory=/srv/gitops
Environment=SOPS_AGE_KEY_FILE=/root/.config/sops/age/keys.txt

# твой скрипт расшифровки (держи в репо или в /usr/local/bin)
ExecStart=/srv/gitops/homelab-infra/lab-home/sops-decrypt.sh

TimeoutStartSec=300

[Install]
WantedBy=multi-user.target