{ ... }:
let
  user = "matt";
in
{
  sops = {
    defaultSopsFile = ../../secrets/secrets.yaml;
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

    secrets = {
      "wifi" = { };
      "desktop/matt_password" = {
        neededForUsers = true;
        mode = "0600";
        owner = config.users.users."${user}".name;
        group = config.users.users."${user}".group;
      };

      # ------------------------------
      # SSH keys
      # ------------------------------
      "ssh-keys-public/pi5" = {
        mode = "0644";
        owner = config.users.users."${user}".name;
        group = config.users.users."${user}".group;
        restartUnits = [ "sshd.service" ];
      };
      "ssh-keys-private/pi5" = {
        mode = "0600";
        owner = config.users.users."${user}".name;
        group = config.users.users."${user}".group;
        restartUnits = [ "sshd.service" ];
      };
    };
  };
}