{ config, ... }:
{
  sops.defaultSopsFile = ./secrets/nginx.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

  # Nginx
  sops.secrets."services/nginx/admin.htpasswd" = {
    mode = "0400";
    owner = config.users.users.nginx.name;
    group = config.users.users.nginx.group;
  };
  sops.secrets."services/nginx/ecchi.htpasswd" = {
    mode = "0400";
    owner = config.users.users.nginx.name;
    group = config.users.users.nginx.group;
  };

  # HedgeDoc
  sops.secrets."services/hedgedoc/.env" = {
    mode = "0400";
    owner = config.users.users.hedgedoc.name;
    sopsFile = ./secrets/hedgedoc.env;
    format = "dotenv";
  };
}