{
  config,
  lib,
  system,
  namespace,
  ...
}:
let
  cfg = config.${namespace}.sops;
  defaultSops = lib.snowfall.fs.get-file "secrets/secrets.yaml";
  isx86 = system == "x86_64-linux";
in
{
  imports = [ ./options.nix ];

  config = lib.mkIf cfg.enable {
    assertions = [
      {
        assertion = cfg.sshKeyPaths != [ ];
        message = "mjallen.sops.sshKeyPaths must contain at least one SSH key path for age decryption.";
      }
    ];

    sops = {
      defaultSopsFile = if cfg.defaultSopsFile != null then cfg.defaultSopsFile else defaultSops;
      age.sshKeyPaths = cfg.sshKeyPaths;

      secrets = {
        "wifi" = { };
        "disk-key".mode = "0600";

        "matt_password" = {
          neededForUsers = true;
          mode = "0600";
        };

        "secureboot/GUID" = lib.mkIf isx86 { mode = "0600"; };
        "secureboot/keys/db-key" = lib.mkIf isx86 { mode = "0600"; };
        "secureboot/keys/db-pem" = lib.mkIf isx86 { mode = "0600"; };
        "secureboot/keys/KEK-key" = lib.mkIf isx86 { mode = "0600"; };
        "secureboot/keys/KEK-pem" = lib.mkIf isx86 { mode = "0600"; };
        "secureboot/keys/PK-key" = lib.mkIf isx86 { mode = "0600"; };
        "secureboot/keys/PK-pem" = lib.mkIf isx86 { mode = "0600"; };
      };
    };
  };
}