{ config, ... }:
{
  # TODO: Get a token2 and set up https://github.com/oddlama/agenix-rekey
  age = {
    identityPaths = [ "/var/lib/persistent/host_id_ed25519" ];

    secrets = {
      access-tokens-github.file = ../../secrets/gh_argstr.age;

      fbda-wg-privkey.file = ../../secrets/fbda_wg_priv_key.age;
      fbda-wg-psk.file = ../../secrets/fbda_wg_psk.age;

      obvps-id = {
        file = ../../secrets/1bvps.age;
        path = "/home/rhea/.ssh/id_1bvps";
        owner = "rhea";
        symlink = false;
      };

      gh_etwas = {
        file = ../../secrets/gh_token.age;
        path = "/home/rhea/.ssh/id_gh_etwas";
        owner = "rhea";
        symlink = false;
      };

      gcd_etwas = {
        file = ../../secrets/gcd_etwas.age;
        path = "/home/rhea/.ssh/id_gcd_etwas";
        owner = "rhea";
        symlink = false;
      };

      etwas_sign_key = {
        file = ../../secrets/sign_etwas.age;
        path = "/home/rhea/.ssh/etwas_sign_key";
        owner = "rhea";
        symlink = false;
      };
    };
  };

  nix.extraOptions = ''
    !include ${config.age.secrets.access-tokens-github.path}
  '';
}