{ lib, config, inputs, pkgs, ... }:

with lib;

let
  cfg = config.settings.services.sops;
in {
  options = {
    settings.services.sops.enable = lib.mkOption {
      type = lib.types.bool;
      description = ''
        Enable sops secret management
      '';
      default = false;
    };
  };

  imports = [
    inputs.sops-nix.homeManagerModules.sops
  ];

  config = mkIf cfg.enable {
    home.packages = with pkgs; [
      sops
      age
    ];

    sops = {
      age.keyFile = "/home/${config.home.username}/.config/sops/age/keys.txt"; # must have no password!

      defaultSopsFile = ../../../secrets/secrets.yaml;

      secrets = {
        "containers/pingvin-share/oidc-secret" = { };
      };
    };
  };
}