{ config, lib, pkgs, ... }:
let
  isCI = builtins.elem config.syscfg.hostname [ "ci" "sandbox" ];
  defaultUser = config.users.users.${config.syscfg.defaultUser} or { };
  defaultGroup = if pkgs.stdenv.isDarwin then "staff" else "users";
  keyFilePath = (if isCI then
    "/var/lib/sops-nix/mock-key.txt"
  else
    "/var/lib/sops-nix/age-key.txt");
  sopsFilePath = (if isCI then ./mock.yaml else ./common.yaml);
in {
  environment.systemPackages = with pkgs; [ sops ];
  environment.variables.SOPS_AGE_KEY_FILE = keyFilePath;

  sops.defaultSopsFile = sopsFilePath;
  sops.age.keyFile = keyFilePath;
  sops.age.generateKey = true;

  sops.secrets = lib.mkMerge [

  {
    "${config.syscfg.hostname}_ssh_priv" = {
      mode = "0400";
      owner = defaultUser.name or config.syscfg.defaultUser;
      group = defaultUser.group or defaultGroup;
    };
  }
  (lib.mkIf config.syscfg.net.wlp.enable {
    wifi = { };
  })
  (lib.mkIf config.syscfg.net.wg.enable {
    "${config.syscfg.hostname}_wg_priv" = { };
  })
  (lib.mkIf config.syscfg.monitoring.telegraf.enable {
    telegraf = { 
      mode = "0400";
    };
  })];
}