{
  config,
  inputs,
  lib,
  pkgs,
  this,
  ...
}:
with lib; {
  imports = [
    inputs.agenix.nixosModule
    (mkAliasOptionModule ["secrets"] ["age" "secrets"])
  ];

  config = {
    age = {
      identityPaths =
        if this.isHeadful
        then ["${config.my.home}/.ssh/id_${my.ssh.type}"]
        else
          map (attr: attr.path) (filter (attr: attr.type == my.ssh.type)
            config.services.openssh.hostKeys);

      # This can be used to auto-add all secrets, thus eleminating the need to
      # specify path to each envrypted file. The drawback is that this will
      # expose *all* secrets to all machines and try to decrypt them all even on
      # machines where the secret will not be used.
      #
      # secrets =
      #   let
      #     secretsSourceDir = "${inputs.self}/age";
      #   in
      #   mapAttrs'
      #     (name: _:
      #       nameValuePair name {
      #         file = "${secretsSourceDir}/${name}";
      #         owner = mkDefault my.username;
      #         group = mkDefault config.my.group;
      #       })
      #     (builtins.readDir secretsSourceDir);
    };

    environment.systemPackages = with pkgs; [agenix];

    system.extraDependencies = [inputs.agenix];
  };
}