{
  config,
  lib,
  ...
}: let
  # mkFakeSecret = secretName: {
  #   name = secretName;
  #   value = {
  #     path = "/dev/null";
  #   };
  # };
  # fakeSecrets =
  #   builtins.listToAttrs (lib.debug.traceValSeqN 2 (builtins.map mkFakeSecret
  #       (lib.debug.traceValSeqN 2 (builtins.attrNames secrets))));
  cfg = config.soispha.secrets;
in {
  options.soispha.secrets = {
    enable = lib.mkEnableOption "secrets through agenix";
  };

  config = lib.mkIf cfg.enable {
    age = {
      secrets = {
        lf_cd_paths = {
          file = ./lf/cd_paths;
          mode = "700";
          owner = "soispha";
          group = "users";
        };

        # FIXME: Reactive when serverphone is merged in tree again <2024-05-11>
        #
        # serverphoneCa = {
        #   file = ./serverphone/ca.key;
        #   mode = "700";
        #   owner = "serverphone";
        #   group = "serverphone";
        # };
        # serverphoneServer = {
        #   file = ./serverphone/server.key;
        #   mode = "700";
        #   owner = "serverphone";
        #   group = "serverphone";
        # };

        taskserverPrivate = {
          file = ./taskserver/private.key;
          mode = "700";
          owner = "soispha";
          group = "users";
        };
        taskserverPublic = {
          file = ./taskserver/public.cert;
          mode = "700";
          owner = "soispha";
          group = "users";
        };
        taskserverCA = {
          file = ./taskserver/ca.cert;
          mode = "700";
          owner = "soispha";
          group = "users";
        };
        taskserverCredentials = {
          file = ./taskserver/credentials;
          mode = "700";
          owner = "soispha";
          group = "users";
        };
      };
    };
  };
}