diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix
index 80f17af35..d572bfe4f 100644
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -1096,14 +1096,6 @@ in
     # TODO: enable dma heaps for more efficient buffer sharing: <https://gitlab.com/postmarketOS/pmaports/-/issues/2789>
     snapshot.sandbox.method = null;  #< TODO: sandbox
 
-    sops.sandbox.extraHomePaths = [
-      ".config/sops"
-      "nixos"
-      # TODO: sops should only need access to knowledge/secrets,
-      # except that i currently put its .sops.yaml config in the root of ~/knowledge
-      "knowledge"
-    ];
-
     sox.sandbox.autodetectCliPaths = "existingFileOrParent";
     sox.sandbox.whitelistAudio = true;
 
diff --git a/hosts/common/programs/default.nix b/hosts/common/programs/default.nix
index c19b11fb6..cdb664541 100644
--- a/hosts/common/programs/default.nix
+++ b/hosts/common/programs/default.nix
@@ -189,6 +189,7 @@
     ./sm64coopdx.nix
     ./sm64ex-coop.nix
     ./smartmontools.nix
+    ./sops.nix
     ./soundconverter.nix
     ./splatmoji.nix
     ./spot.nix
diff --git a/hosts/common/programs/sops.nix b/hosts/common/programs/sops.nix
new file mode 100644
index 000000000..2becc357a
--- /dev/null
+++ b/hosts/common/programs/sops.nix
@@ -0,0 +1,33 @@
+{ pkgs, ... }: {
+  sane.programs.sops = {
+    packageUnwrapped = pkgs.sops.overrideAttrs (upstream: {
+      # sops default behavior is to pre-populate a file with a bunch of example text.
+      # deleting that text for _every_ new secret is annoying.
+      # not tunable by config, so patch out.
+      postPatch = (upstream.postPatch or "") + ''
+        substituteInPlace stores/dotenv/store.go --replace-fail \
+          'stores.ExampleFlatTree.Branches' \
+          'sops.TreeBranches{sops.TreeBranch{}}'
+        substituteInPlace stores/ini/store.go --replace-fail \
+          'stores.ExampleSimpleTree.Branches' \
+          'sops.TreeBranches{}'
+        substituteInPlace stores/json/store.go --replace-fail \
+          'stores.ExampleComplexTree.Branches' \
+          'sops.TreeBranches{sops.TreeBranch{}}'
+        substituteInPlace stores/yaml/store.go --replace-fail \
+          'stores.ExampleComplexTree.Branches' \
+          'sops.TreeBranches{}'
+
+        # substituteInPlace cmd/sops/edit.go \
+        #   --replace-fail 'opts.InputStore.EmitExample()'  '[]byte("")'
+      '';
+    });
+    sandbox.extraHomePaths = [
+      ".config/sops"
+      "nixos"
+      # TODO: sops should only need access to knowledge/secrets,
+      # except that i currently put its .sops.yaml config in the root of ~/knowledge
+      "knowledge"
+    ];
+  };
+}