{
  lib,
  config,
  pkgs,
  ...
}: let
  inherit (lib) mkEnableOption mkIf;
  cfg = config.horseman.base.secrets;
  secretFile = path: ../../secrets/${path};
  username = config.horseman.username;
in {
  options = {
    horseman.base.secrets = {
      enable = mkEnableOption "";
    };
  };

  config = mkIf cfg.enable {
    environment.systemPackages = [pkgs.ragenix];

    age.secrets = {
      wifi.file = secretFile "wifi.age";

      personalSSHpub = {
        file = secretFile "ssh/id_personal.pub.age";
        owner = username;
        group = "users";
        path = "/home/horseman/.ssh/id_ed25519.pub";
      };
      personalSSH = {
        file = secretFile "ssh/id_personal.age";
        owner = username;
        group = "users";
        path = "/home/horseman/.ssh/id_ed25519";
      };
      githubSSHpub = {
        file = secretFile "ssh/id_github.pub.age";
        owner = username;
        group = "users";
        path = "/home/horseman/.ssh/id_github.pub";
      };
      githubSSH = {
        file = secretFile "ssh/id_github.age";
        owner = username;
        group = "users";
        path = "/home/horseman/.ssh/id_github";
      };

      sshConfig = {
        file = secretFile "ssh/config.age";
        owner = username;
        group = "users";
        path = "/home/horseman/.ssh/config";
      };
    };
  };
}