{
  config,
  lib,
  namespace,
  ...
}:
with lib;
let
  cfg = config.${namespace}.services.nebula;
in
{

  config = mkIf cfg.enable {
    sops = {
      secrets = {
        "jallen-nas/nebula/ca-cert" = {
          sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
          owner = "nebula-jallen-nebula";
          group = "nebula-jallen-nebula";
          restartUnits = [ "nebula@jallen-nebula.service" ];
        };

        "jallen-nas/nebula/ca-key" = {
          sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
          owner = "nebula-jallen-nebula";
          group = "nebula-jallen-nebula";
          restartUnits = [ "nebula@jallen-nebula.service" ];
        };

        "jallen-nas/nebula/nas-cert" = {
          sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
          owner = "nebula-jallen-nebula";
          group = "nebula-jallen-nebula";
          restartUnits = [ "nebula@jallen-nebula.service" ];
        };
        "jallen-nas/nebula/nas-key" = {
          sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
          owner = "nebula-jallen-nebula";
          group = "nebula-jallen-nebula";
          restartUnits = [ "nebula@jallen-nebula.service" ];
        };
      };
    };
  };
}