{ config, lib, ... }:
let
  user = "matt";
  defaultSops = (lib.snowfall.fs.get-file "secrets/pi4-secrets.yaml");
in
{
  sops = {
    age.keyFile = "/home/matt/.config/sops/age/keys.txt";
    validateSopsFiles = false;
    # ------------------------------
    # Secrets
    # ------------------------------
    secrets = {
      # ------------------------------
      # SSH keys
      # ------------------------------

      "ssh-keys-public/pi4" = {
        mode = "0644";
        owner = config.users.users."${user}".name;
        group = config.users.users."${user}".group;
        restartUnits = [ "sshd.service" ];
      };
      "ssh-keys-private/pi4" = {
        mode = "0600";
        owner = config.users.users."${user}".name;
        group = config.users.users."${user}".group;
        restartUnits = [ "sshd.service" ];
      };
      "ssh-keys-public/pi5" = {
        neededForUsers = true;
        mode = "0600";
        owner = config.users.users.root.name;
        group = config.users.users.root.group;
        restartUnits = [ "sshd.service" ];
      };
      "pi4/sys-public-key" = {
        sopsFile = defaultSops;
        neededForUsers = true;
        mode = "0600";
        owner = config.users.users.root.name;
        group = config.users.users.root.group;
        restartUnits = [ "sshd.service" ];
      };
      "pi4/sys-priv-key" = {
        sopsFile = defaultSops;
        neededForUsers = true;
        mode = "0600";
        owner = config.users.users.root.name;
        group = config.users.users.root.group;
        restartUnits = [ "sshd.service" ];
      };
    };
  };
}