{ config, lib, pkgs, sops-nix, ... }:

# Example: How to use sops-nix for secrets management
# This module is NOT imported by default - uncomment in nixos/default.nix to use

{
  imports = [ sops-nix.nixosModules.sops ];

  # Point to your encrypted secrets file
  sops.defaultSopsFile = ../../../secrets/secrets.yaml;

  # Age key location (sops-nix will decrypt using this)
  sops.age.keyFile = "/home/youruser/.config/sops/age/keys.txt";

  # Define which secrets to decrypt and where
  sops.secrets = {
    # SSH keys
    "ssh/github_key" = {
      owner = "youruser";
      group = "users";
      mode = "0600";
      # Decrypted to: /run/secrets/ssh/github_key
    };

    # API keys
    "api_keys/example_api" = {
      owner = "youruser";
      group = "users";
      mode = "0600";
    };

    # Passwords (less recommended, use SSH keys when possible)
    "passwords/example_password" = {
      owner = "youruser";
      group = "users";
      mode = "0600";
    };
  };

  # Example: Use decrypted secret in environment variable
  environment.variables = {
    # GITHUB_SSH_KEY = "${config.sops.secrets."ssh/github_key".path}";
  };

  # Example: Copy secret to user home (for Git, SSH, etc.)
  system.activationScripts.installSecrets = lib.stringAfter [ "users" ] ''
    mkdir -p /home/youruser/.ssh
    cp ${config.sops.secrets."ssh/github_key".path} /home/youruser/.ssh/github
    chown youruser:users /home/youruser/.ssh/github
    chmod 0600 /home/youruser/.ssh/github
  '';

}

# Usage in other modules:
#
# To use decrypted secrets in other config files, reference like:
#   ${config.sops.secrets."ssh/github_key".path}
#
# Example in Git config:
#   programs.git.extraConfig = {
#     core.sshCommand = "ssh -i ${config.sops.secrets."ssh/github_key".path}";
#   };
#
# Example in home-manager:
#   programs.ssh.matchBlocks.github = {
#     host = "github.com";
#     identityFile = "${config.sops.secrets."ssh/github_key".path}";
#   };