{
  config,
  pkgs,
  ...
}:
{
  # TODO: Get a token2 and set up https://github.com/oddlama/agenix-rekey
  age = {
    identityPaths = [ "/var/lib/persistent/host_id_ed25519" ];

    rekey = {
      agePlugins = [ pkgs.age-plugin-fido2-hmac ];

      # Obtain this using `ssh-keyscan` or by looking it up in your ~/.ssh/known_hosts
      hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJynM8SLRXRrfGRJd43T4wabsOHFcWeeuTym9h7vl7Io";
      # The path to the master identity used for decryption. See the option's description for more information.
      masterIdentities = [ ./token2_hmac.pub ];
      #masterIdentities = [ "/home/myuser/master-key" ]; # External master key
      #masterIdentities = [
      #  # It is possible to specify an identity using the following alternate syntax,
      #  # this can be used to avoid unecessary prompts during encryption.
      #  {
      #    identity = "/home/myuser/master-key.age"; # Password protected external master key
      #    pubkey = "age1qyqszqgpqyqszqgpqyqszqgpqyqszqgpqyqszqgpqyqszqgpqyqs3290gq"; # Specify the public key explicitly
      #  }
      #];
      storageMode = "local";
      # Choose a directory to store the rekeyed secrets for this host.
      # This cannot be shared with other hosts. Please refer to this path
      # from your flake's root directory and not by a direct path literal like ./secrets
      localStorageDir = inputs.private-config/modules/secrets + "/rekeyed/${config.networking.hostName}";
    };

    secrets = {
      access-tokens-github.file = inputs.private-config/modules/secrets/gh_argstr.age;

      fbda-wg-privkey.file = inputs.private-config/modules/secrets/fbda_wg_priv_key.age;
      fbda-wg-psk.file = inputs.private-config/modules/secrets/fbda_wg_psk.age;

      obvps-id = {
        file = inputs.private-config/modules/secrets/1bvps.age;
        path = "/home/rhea/.ssh/id_1bvps";
        owner = "rhea";
        symlink = false;
      };

      ncvps-id = {
        file = inputs.private-config/modules/secrets/ncvps.age;
        path = "/home/rhea/.ssh/id_ncvps";
        owner = "rhea";
        symlink = false;
      };

      gh_etwas = {
        file = inputs.private-config/modules/secrets/gh_token.age;
        path = "/home/rhea/.ssh/id_gh_etwas";
        owner = "rhea";
        symlink = false;
      };

      gcd_etwas = {
        file = inputs.private-config/modules/secrets/gcd_etwas.age;
        path = "/home/rhea/.ssh/id_gcd_etwas";
        owner = "rhea";
        symlink = false;
      };

      ebd_rhea = {
        file = inputs.private-config/modules/secrets/ebd_token.age;
        path = "/home/rhea/.ssh/id_ebd_rhea";
        owner = "rhea";
        symlink = false;
      };

      glrwth_tuda = {
        file = inputs.private-config/modules/secrets/glrwth_token.age;
        path = "/home/rhea/.ssh/id_glrwth_tuda";
        owner = "rhea";
        symlink = false;
      };

      etwas_sign_key = {
        file = inputs.private-config/modules/secrets/sign_etwas.age;
        path = "/home/rhea/.ssh/etwas_sign_key";
        owner = "rhea";
        symlink = false;
      };

      ffda_outoor_key = {
        file = inputs.private-config/modules/secrets/ffda_token.age;
        path = "/home/rhea/.ssh/id_ffda_outdoor";
        owner = "rhea";
        symlink = false;
      };
    };
  };

  nix.extraOptions = ''
    !include ${config.age.secrets.access-tokens-github.path}
  '';
}