{ pkgs, config, lib, inputs, ... }:

let
  cfg = config.modules.system.sops;
in
{
  imports = [ inputs.sops-nix.nixosModules.sops ];

  options.modules.system.sops = {
    enable = lib.mkEnableOption "enables sops";
  };

  config = lib.mkIf cfg.enable {
    # enable and configure sops for secrets
    sops = {
      defaultSopsFile = ../../secrets/secrets.yaml;
      defaultSopsFormat = "yaml";
      age.keyFile = "/home/blake/.config/sops/age/keys.txt";

      secrets = {
        # blake user secrets
        lib.mkIf config.users.blake.enable {
          "blake_passwd" = { 
            owner = "root";
            group = "root";
            neededForUsers = true;
          };
        }

        # backups secrets
        "borg_passwd" = lib.mkIf config.modules.system.backups.enable { 
          owner = "root";
          group = "root";
        };

        # tailscale secrets
        "tailscale_authkey" = lib.mkIf config.modules.system.tailscale.enable { 
          owner = "root";
        };

        # nginx secrets
#        lib.mkIf config.modules.homelab.nginx-proxy.enable {
#          "ssl_blakedheld_crt" = {
#            owner = "nginx";
#            group = "nginx";
#          };
#        
#          "ssl_blakedheld_key" = {
#            owner = "nginx";
#            group = "nginx";
#          };
#        }

      };
    };
  };
}