{
  lib,
  config,
  pkgs,
  ...
}: let
  inherit (lib) mkEnableOption mkIf;
  cfg = config.horseman.base.secrets;
  secretFile = path: ../../secrets/${path}.age;
  username = config.horseman.username;
in {
  options = {
    horseman.base.secrets = {
      enable = mkEnableOption "";
    };
  };

  config = mkIf cfg.enable {
    environment.systemPackages = [pkgs.ragenix];

    age.secrets = {
      wifi.file = secretFile "wifi";

      personalSSHpub = {
        file = secretFile "ssh/id_personal.pub";
        owner = username;
        group = "users";
        path = "/home/${username}/.ssh/id_ed25519.pub";
      };
      personalSSH = {
        file = secretFile "ssh/id_personal";
        owner = username;
        group = "users";
        path = "/home/${username}/.ssh/id_ed25519";
      };
      githubSSHpub = {
        file = secretFile "ssh/id_github.pub";
        owner = username;
        group = "users";
        path = "/home/${username}/.ssh/id_github.pub";
      };
      githubSSH = {
        file = secretFile "ssh/id_github";
        owner = username;
        group = "users";
        path = "/home/${username}/.ssh/id_github";
      };

      sshConfig = {
        file = secretFile "ssh/config";
        owner = username;
        group = "users";
        path = "/home/${username}/.ssh/config";
      };

      forgejo-secret = {
        file = secretFile "containers/forgejo-secret";
        path = "/run/forgejo-secrets/secret";
        symlink = false;
        mode = "444";
      };
    };
  };
}