{
  lib,
  config,
  username,
  ...
}:
let
  cfg = config.secrets;
in
{
  options = {
    secrets = {
      enable = lib.mkEnableOption "Enable secrets in NixOS & home-manager";
    };
  };
  config = lib.mkIf cfg.enable {
    sops = {
      age.keyFile = "/home/${username}/.config/sops/age/keys.txt";
      defaultSopsFile = ./secrets.yaml;
      defaultSopsFormat = "yaml";
      secrets = {
      	password_secure = { };
        password_insecure = { };
        "syncthing/${config.networking.hostName}_key" = { };
        "syncthing/${config.networking.hostName}_cert" = { };
      };
      # templates = {
      #   "nix-github-token.conf" = {
      #     content = ''
      #       access-tokens = "${config.sops.secrets.github_token}"
      #     '';
      #   };
      # };
    };
    home-manager.users.${username} =
      { config, ... }:
      {
        sops = {
          age.keyFile = "${config.xdg.configHome}/sops/age/keys.txt";
          defaultSopsFile = ./secrets.yaml;
          defaultSopsFormat = "yaml";
          defaultSymlinkPath = "/run/user/1000/secrets";
          defaultSecretsMountPoint = "/run/user/1000/secrets.d";
          secrets = {
            "github_token" = { };
          };
        };
      };
  };
}