{
  lib,
  config,
  ...
}: let
  cfg = config.sopsSetup;
in {
  options = {
    sopsSetup.enable = lib.mkEnableOption "Enable Module";
    global.desktop = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = "Whether or not to install shared desktop secrets.";
    };
  };

  config = lib.mkIf cfg.enable {
    sops = {
      age.keyFile = "/var/secrets/keys.txt";
      secrets."lillian-password".neededForUsers = true;

      defaultSopsFile = ../hosts/${config.networking.hostName}/secrets/sops.yaml;

      secrets."wg-private-key".mode = "0440";
      secrets."wg-private-key".owner = config.users.users.root.name;

      secrets."ssh-private-key" = {
        mode = "0600";
        owner = config.users.users.lillian.name;
        path = "/home/lillian/.ssh/id_ed25519";
      };
    };
    secrets."nextcloud-password" = lib.mkIf (cfg.desktop == true) {
      mode = "0600";
      owner = config.users.users.lillian.name;
      path = "/home/lillian/.netrc";
    };
    secrets."prod.keys" = lib.mkIf (cfg.desktop == true) {
      mode = "0600";
      owner = config.users.users.lillian.name;
      path = "/home/lillian/.config/Ryujinx/system/prod.keys";
    };
    secrets."title.keys" = lib.mkIf (cfg.desktop == true) {
      mode = "0600";
      owner = config.users.users.lillian.name;
      path = "/home/lillian/.config/Ryujinx/system/title.keys";
    };
  };
}