{ config, ... }:

{
  age.secrets = {
    # authelia
    authelia-jwt.file = ./authelia/jwt.age;
    authelia-storage.file = ./authelia/storage.age;
    authelia-session.file = ./authelia/session.age;
    authelia-oidc-issuer-privatekey-pem.file = ./authelia/oidc-issuer-privatekey-pem.age;
    authelia-oidc-issuer-privatekey-crt.file = ./authelia/oidc-issuer-privatekey-crt.age;
    authelia-smtp-password.file = ./authelia/smtp-password.age;

    # lldap
    lldap-admin-user-pass.file = ./lldap/admin-user-pass.age;
    lldap-bind-user-pass = {
      file = ./lldap/bind-user-pass.age;
      group = "secrets-lldap-bind-user-pass";
      mode = "0440";
    };
    lldap-bind-user-pass-hedgedoc-env.file = ./lldap/bind-user-pass-hedgedoc-env.age;

    # mumble
    murmur-env.file = ./murmur/env.age;
    murmur-superpassword.file = ./murmur/superpassword.age;

    # forgejo
    forgejo-authelia-secret.file = ./forgejo/authelia-secret.age;

    # teeworlds
    teeworlds-env.file = ./teeworlds/env.age;

    # nextcloud
    nextcloud-admin-pass.file = ./nextcloud/admin-pass.age;
    nextcloud-secrets.file = ./nextcloud/secrets.age;

    # stalwart
    stalwart-admin-fallback-password.file = ./stalwart/admin-fallback-password.age;

    # matrix-synapse
    matrix-synapse-config-authelia-secret.file = ./matrix-synapse/config-authelia-secret.age;

    # wger
    wger-env.file = ./wger/env.age;

    # restic
    restic-env.file = ./restic/env.age;
    restic-pass.file = ./restic/pass.age;

    # searx
    searx-env.file = ./searx/env.age;
  };

  users.groups.secrets-lldap-bind-user-pass = {};
}