{ config, lib, pkgs, ... }:
let
  isCI = builtins.elem config.syscfg.hostname [ "ci" "sandbox" ];
  keyFilePath = (if isCI then
    "/var/lib/sops-nix/mock-key.txt"
  else
    "/var/lib/sops-nix/age-key.txt");
  sopsFilePath = (if isCI then ./mock.yaml else ./common.yaml);
in {
  environment.systemPackages = with pkgs; [ sops ];
  environment.sessionVariables.SOPS_AGE_KEY_FILE = keyFilePath;

  sops.defaultSopsFile = sopsFilePath;
  sops.age.keyFile = keyFilePath;
  sops.age.generateKey = true;

  sops.secrets = lib.mkMerge [
  {
    wifi = { };
    "${config.syscfg.hostname}_ssh_priv" = {
      mode = "0400";
      owner = config.users.users.${config.syscfg.defaultUser}.name;
      group = config.users.users.${config.syscfg.defaultUser}.group;
    };
    "${config.syscfg.hostname}_ssh_pub" = {
      mode = "0444";
      owner = config.users.users.${config.syscfg.defaultUser}.name;
      group = config.users.users.${config.syscfg.defaultUser}.group;
    };
    "${config.syscfg.hostname}_wg_priv" = { };
    "${config.syscfg.hostname}_wg_pub" = { };
  }
  (lib.genAttrs 
    (map (peer: "${peer}_wg_pub") config.syscfg.net.wg.server.peers)
    (_: { mode = "0400"; })
  )
  (lib.genAttrs 
    (map (peer: "${peer}_ssh_pub") ["iriy" "avalon" "asguard" "valinor"])
    (_: { mode = "0444"; })
  )
];
}