{ config, lib, ... }:
let
  user = "matt";
  defaultSops = lib.snowfall.fs.get-file "secrets/pi5-secrets.yaml";
in
{
  sops = {
    # ------------------------------
    # Secrets
    # ------------------------------
    secrets = {
      # ------------------------------
      # Attic
      # ------------------------------
      "pi5/attic-key" = {
        sopsFile = defaultSops;
        mode = "0400";
        owner = "atticd";
        group = "atticd";
        restartUnits = [ "atticd.service" ];
      };

      # ------------------------------
      # SSH keys
      # ------------------------------

      "ssh-keys-public/pi5" = {
        mode = "0644";
        owner = config.users.users."${user}".name;
        group = config.users.users."${user}".group;
        restartUnits = [ "sshd.service" ];
      };
      "ssh-keys-private/pi5" = {
        mode = "0600";
        owner = config.users.users."${user}".name;
        group = config.users.users."${user}".group;
        restartUnits = [ "sshd.service" ];
      };

      "pi5/sys-public-key" = {
        sopsFile = defaultSops;
        mode = "0600";
        owner = config.users.users.root.name;
        group = config.users.users.root.group;
        restartUnits = [ "sshd.service" ];
      };
      "pi5/sys-priv-key" = {
        sopsFile = defaultSops;
        mode = "0600";
        owner = config.users.users.root.name;
        group = config.users.users.root.group;
        restartUnits = [ "sshd.service" ];
      };
    };
  };
}