{ config, ... }:
let
  user = "matt";
in
{
  sops = {
    defaultSopsFile = ../../secrets/pi4-secrets.yaml;
#    age = {
#      generateKey = true;
#      sshKeyPaths = [ "/etc/ssd/ssh_host_ed25519_key" ];
#    };
    age.keyFile = "/home/matt/.config/sops/age/keys.txt";
    validateSopsFiles = false;
    # ------------------------------
    # Secrets
    # ------------------------------
    secrets = {
      "wifi" = {
        sopsFile = ../../secrets/secrets.yaml;
      };
      "pi4/matt-password" = {
        neededForUsers = true;
        mode = "0600";
        owner = config.users.users."${user}".name;
        group = config.users.users."${user}".group;
      };

      # ------------------------------
      # SSH keys
      # ------------------------------

      "ssh-keys-public/pi4" = {
        sopsFile = ../../secrets/secrets.yaml;
        mode = "0644";
        owner = config.users.users."${user}".name;
        group = config.users.users."${user}".group;
        restartUnits = [ "sshd.service" ];
      };
      "ssh-keys-private/pi4" = {
        sopsFile = ../../secrets/secrets.yaml;
        mode = "0600";
        owner = config.users.users."${user}".name;
        group = config.users.users."${user}".group;
        restartUnits = [ "sshd.service" ];
      };
      "ssh-keys-public/pi5" = {
        sopsFile = ../../secrets/secrets.yaml;
        neededForUsers = true;
        mode = "0600";
        owner = config.users.users.root.name;
        group = config.users.users.root.group;
        restartUnits = [ "sshd.service" ];
      };
      "pi4/sys-public-key" = {
        neededForUsers = true;
        mode = "0600";
        owner = config.users.users.root.name;
        group = config.users.users.root.group;
        restartUnits = [ "sshd.service" ];
      };
      "pi4/sys-priv-key" = {
        neededForUsers = true;
        mode = "0600";
        owner = config.users.users.root.name;
        group = config.users.users.root.group;
        restartUnits = [ "sshd.service" ];
      };
    };
  };
}