{ config, ... }:
let
  user = "matt";
in
{
  sops = {
    defaultSopsFile = ../../../secrets/pi5-secrets.yaml;
    # age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    age.keyFile = "/home/matt/.config/sops/age/keys.txt";

    # ------------------------------
    # Secrets
    # ------------------------------
    secrets = {
      "wifi" = {
        sopsFile = ../../../secrets/secrets.yaml;
      };
      "pi5/matt-password" = {
        neededForUsers = true;
        mode = "0600";
        owner = config.users.users."${user}".name;
        group = config.users.users."${user}".group;
      };

      # ------------------------------
      # SSH keys
      # ------------------------------

      "ssh-keys-public/pi5" = {
        sopsFile = ../../../secrets/secrets.yaml;
        mode = "0644";
        owner = config.users.users."${user}".name;
        group = config.users.users."${user}".group;
        restartUnits = [ "sshd.service" ];
      };
      "ssh-keys-private/pi5" = {
        sopsFile = ../../../secrets/secrets.yaml;
        mode = "0600";
        owner = config.users.users."${user}".name;
        group = config.users.users."${user}".group;
        restartUnits = [ "sshd.service" ];
      };

      "pi5/sys-public-key" = {
        neededForUsers = true;
        mode = "0600";
        owner = config.users.users.root.name;
        group = config.users.users.root.group;
        restartUnits = [ "sshd.service" ];
      };
      "pi5/sys-priv-key" = {
        neededForUsers = true;
        mode = "0600";
        owner = config.users.users.root.name;
        group = config.users.users.root.group;
        restartUnits = [ "sshd.service" ];
      };
    };
  };
}