{
  config,
  lib,
  namespace,
  ...
}:
with lib;
let
  cfg = config.${namespace}.services.nebula;
  sopsFile = cfg.secretsFile;
  nebulaUser = "nebula-${cfg.networkName}";
  nebulaUnit = "nebula@${cfg.networkName}.service";

  mkSecret = _key: {
    inherit sopsFile;
    owner = nebulaUser;
    group = nebulaUser;
    restartUnits = [ nebulaUnit ];
  };

  # CA cert/key are group-readable so nebula-ui (a group member) can access them
  mkCaSecret = _key: (mkSecret _key) // { mode = "0440"; };
in
{
  config = mkIf cfg.enable {
    assertions = [
      {
        assertion = cfg.secretsPrefix != "";
        message = "mjallen.services.nebula.secretsPrefix must be set (e.g. \"pi5/nebula\")";
      }
      {
        assertion = cfg.secretsFile != "";
        message = "mjallen.services.nebula.secretsFile must be set to the path of the SOPS secrets YAML";
      }
    ];

    sops.secrets = {
      "${cfg.secretsPrefix}/ca-cert" = mkCaSecret "ca-cert";
      "${cfg.secretsPrefix}/${cfg.hostSecretName}-cert" = mkSecret "host-cert";
      "${cfg.secretsPrefix}/${cfg.hostSecretName}-key" = mkSecret "host-key";
    };
  };
}