{ config, ... }:
{
  sops.defaultSopsFile = ./secrets/services.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

  # Vaultwarden
  sops.secrets."services/vaultwarden/.env" = {
    mode = "0400";
    owner = config.users.users.vaultwarden.name;
    group = config.users.users.vaultwarden.group;
    sopsFile = ./secrets/vaultwarden.env;
    format = "dotenv";
  };

  # Attic
  sops.secrets."services/attic/creds.env" = {
    mode = "0400";
    owner = config.users.users.root.name;
    group = config.users.users.root.group;
    sopsFile = ./secrets/attic.env;
    format = "dotenv";
  };

  # MSMTP
  sops.secrets."services/msmtp/password" = {
    mode = "0777";
    sopsFile = ./secrets/msmtp.yaml;
  };

  # Wireguard
  sops.secrets."services/wireguard/airvpn.private" = {
    mode = "0400";
    owner = config.users.users.root.name;
    group = config.users.users.root.group;
    sopsFile = ./secrets/wireguard.yaml;
  };
  sops.secrets."services/wireguard/airvpn.psk" = {
    mode = "0400";
    owner = config.users.users.root.name;
    group = config.users.users.root.group;
    sopsFile = ./secrets/wireguard.yaml;
  };
}