{ config, ... }:
{
  sops.defaultSopsFile = ../../secrets/secrets.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

  sops.secrets."desktop/matt_password" = { };
  sops.secrets."desktop/matt_password".neededForUsers = true;

  sops.secrets."desktop/hass_token" = { };
  sops.secrets."desktop/hass_token".mode = "0777";

  sops.secrets."desktop/restic/user" = { };
  sops.secrets."desktop/restic/password" = { };
  sops.templates."restic.env".content = ''
    RESTIC_REST_USER=${config.sops.placeholder."desktop/restic/user"}
    RESTIC_REST_PASSWORD=${config.sops.placeholder."desktop/restic/password"}
  '';

  sops.secrets."wifi" = { };

  sops.secrets."ssh-keys-public/desktop-nixos" = {
    mode = "0644";
  };

  sops.secrets."ssh-keys-private/desktop-nixos" = {
    mode = "0600";
  };

  sops.secrets."ssh-keys-public/desktop-nixos-root" = {
    path = "/root/.ssh/id_ed25519.pub";
    mode = "0600";
  };

  sops.secrets."ssh-keys-private/desktop-nixos-root" = {
    path = "/root/.ssh/id_ed25519";
    mode = "0600";
  };

  sops.secrets."secureboot/GUID" = {
    path = "/etc/secureboot/GUID";
    mode = "0600";
  };

  sops.secrets."secureboot/keys/db-key" = {
    path = "/etc/secureboot/keys/db/db.key";
    mode = "0600";
  };

  sops.secrets."secureboot/keys/db-pem" = {
    path = "/etc/secureboot/keys/db/db.pem";
    mode = "0600";
  };

  sops.secrets."secureboot/keys/KEK-key" = {
    path = "/etc/secureboot/keys/KEK/KEK.key";
    mode = "0600";
  };

  sops.secrets."secureboot/keys/KEK-pem" = {
    path = "/etc/secureboot/keys/KEK/KEK.pem";
    mode = "0600";
  };

  sops.secrets."secureboot/keys/PK-key" = {
    path = "/etc/secureboot/keys/PK/PK.key";
    mode = "0600";
  };

  sops.secrets."secureboot/keys/PK-pem" = {
    path = "/etc/secureboot/keys/PK/PK.pem";
    mode = "0600";
  };
}