{ pkgs, lib, ... }:

with lib;

let
  hosts = builtins.attrNames (builtins.readDir ../../hosts);

  mkAgeKey = hostname: ssh_pub_file:
    pkgs.runCommand "${hostname}.age" {
      buildInputs = [ pkgs.ssh-to-age ];
    } ''
      ssh-to-age -i ${ssh_pub_file} -o $out
    '';

  ageKeysForHost = hostname: let
    ssh_pub_file = ../../hosts + "/${hostname}/ssh.pub";
  in
    if builtins.pathExists ssh_pub_file then [
      (fileContents (mkAgeKey hostname ssh_pub_file))
    ] else [];

  mkCreationRules = hosts:
    map (hostname: {
      path_regex = escapeRegex "hosts/${hostname}/secrets.json";
      key_groups = [{
        pgp = [
          (fileContents (pkgs.clerie-keys + "/gpg/clerie@clerie.de.fingerprint.txt"))
        ];
        age = ageKeysForHost hostname;
      }];
    }) hosts;

  sops_config = {
    creation_rules = mkCreationRules hosts;
  };
in
  pkgs.writeText "sops.json" (builtins.toJSON sops_config)