# Secrets management with agenix
# Secrets are encrypted with age and decrypted at system activation
{
  config,
  lib,
  pkgs,
  inputs,
  nomarchyConfig,
  ...
}: let
  # Check if secrets directory exists and has secrets
  secretsPath = ../../secrets;
  hasSecrets = builtins.pathExists secretsPath;
in {
  # Import agenix module
  imports = lib.optionals hasSecrets [
    inputs.agenix.nixosModules.default
  ];

  config = lib.mkIf hasSecrets {
    # Install agenix CLI for managing secrets
    environment.systemPackages = [
      inputs.agenix.packages.${pkgs.system}.default
    ];

    # Configure age to use SSH host keys for decryption
    age.identityPaths = [
      "/etc/ssh/ssh_host_ed25519_key"
      "/etc/ssh/ssh_host_rsa_key"
    ];

    # Example secrets configuration (users override in their config)
    # age.secrets = {
    #   wifi-password = {
    #     file = ../../secrets/wifi-password.age;
    #     owner = "root";
    #     group = "root";
    #     mode = "0400";
    #   };
    # };
  };
}