{ config, pkgs, lib, ... }:

{
  options.secrets = {
    enable = lib.mkEnableOption "agenix secret management";

    identity = lib.mkOption {
      type = lib.types.path;
      default = "/etc/ssh/ssh_host_ed25519_key";
      description = "Path to the SSH host private key used for age decryption.";
    };
  };

  config = lib.mkIf config.secrets.enable {
    age = {
      identityPaths = [ config.secrets.identity ];
      secrets = { };
    };

    environment.systemPackages = with pkgs; [ agenix ];
  };
}