{ config, lib, ... }:
let
  cfg = config.sops-config;

in {
  options.sops-config = {
    key-file = lib.mkOption {
      type = lib.types.str;
      default = "";
    };
  };

  config = {

    sops = {
      age.keyFile = cfg.key-file; # must have no password!
      defaultSopsFile = ./secrets.yaml;
      secrets = {
        filez = {};
        media-server = {};
      };

      templates."media-server-secrets".content =
        ''
username=media
password=${config.sops.placeholder.media-server}
'';

      templates."filez-secrets".content =
        ''
username=admin
password=${config.sops.placeholder.filez}
'';
    };

    environment.etc = {
      "nixos/filez-secrets" = {
        source = config.sops.templates."filez-secrets".path;
      };
      "nixos/media-server-secrets" = {
        source = config.sops.templates."media-server-secrets".path;
      };
    };
  };
}