{ config, lib, ... }:
{
  options.services.nginx.virtualHosts = lib.mkOption {
    type = lib.types.attrsOf (
      lib.types.submodule {
        config = lib.mkDefault {
          sslCertificate = config.sops.secrets.cert-fullchain.path;
          sslCertificateKey = config.sops.secrets.cert-key.path;
        };
      }
    );
  };

  config = {
    sops = {
      secrets = {
        cert-fullchain = {
          sopsFile = ../../secrets/cert.yaml;
          restartUnits = [ "nginx.service" ];
          owner = config.services.nginx.user;
          group = config.services.nginx.user;
        };
        cert-key = {
          sopsFile = ../../secrets/cert.yaml;
          restartUnits = [ "nginx.service" ];
          owner = config.services.nginx.user;
          group = config.services.nginx.user;
        };
      };
    };
  };
}