{ config, lib, ... }:
{
  sops = {
    defaultSopsFile = ../keys/production.yaml;

    secrets = {
      "battery-manager/email" = lib.mkIf config.services.batteryManager.enable {
        owner = "battery-manager";
        group = "battery-manager";
      };

      "battery-manager/password" = lib.mkIf config.services.batteryManager.enable {
        owner = "battery-manager";
        group = "battery-manager";
      };

      # Gitea
      "forgejo/metrics-token" = {
        owner = "forgejo";
        group = "metrics";
        mode = "0440";
      };

      # Grafana
      "grafana/adminPassword" = {
        owner = "grafana";
        group = "grafana";
      };
      "grafana/secretKey" = {
        owner = "grafana";
        group = "grafana";
      };

      # Heisenbridge
      "heisenbridge/as-token" = { };
      "heisenbridge/hs-token" = { };

      # Matrix-hookshot
      "matrix-hookshot/as-token" = { };
      "matrix-hookshot/hs-token" = { };

      # Nextcloud
      "nextcloud/tlater" = {
        owner = "nextcloud";
        group = "nextcloud";
      };

      # Porkbub/ACME
      "porkbun/api-key" = {
        owner = "acme";
      };
      "porkbun/secret-api-key" = {
        owner = "acme";
      };

      # Restic
      "restic/local-backups" = {
        owner = "root";
        group = "backup";
        mode = "0440";
      };
      "restic/storagebox-backups" = {
        owner = "root";
        group = "backup";
        mode = "0440";
      };
      "restic/storagebox-ssh-key" = {
        owner = "backup";
        group = "backup";
        mode = "0040";
      };

      # Steam
      "steam/tlater" = { };

      # Turn
      "turn/env" = { };
      "turn/secret" = {
        owner = "turnserver";
      };
      "turn/ssl-key" = {
        owner = "turnserver";
      };
      "turn/ssl-cert" = {
        owner = "turnserver";
      };

      # Wireguard
      "wireguard/server-key" = {
        owner = "root";
        group = "systemd-network";
        mode = "0440";
      };
    };
  };
}