{ self, inputs, ... }:
let
  inputs' = inputs;  # save a reference before it's shadowed
in
{
  flake-file.inputs = {
    # Adding sops-nix to the flake-file inputs causes it to get added to the inputs in flake.nix when it gets generated.
    # This also makes the sops-nix module available
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
  };

  flake.modules.nixos.mysops = {
    imports = [ inputs.sops-nix.nixosModules.sops ];
  };

  # Define the homeModules that are used by flake-parts
  # https://flake.parts/options/home-manager.html#opt-flake.modules.homeManager
  flake.modules.homeManager.mysops = { config, pkgs, lib, ... }:
  let
    cfg = config.mysops;
  in
  {
    imports = [
      # This import makes the sops config attribute available below
      inputs'.sops-nix.homeManagerModules.sops
    ];

    options.mysops = {
      hostSecretFile = lib.mkOption {
        description = "Path to the secrets file for this host. Used to create the edit-secrets script";
        type = lib.types.nullOr lib.types.str;
        default = null;
      };
    };

    config =
      let
        my-sops = (inputs.self.wrappers.mySops.apply {
          inherit pkgs;
          sshKey = config.ssh.identityFile;
        }).wrapper;
      in
      {
        # Option definitions for the sops home-manager module:
        # https://github.com/Mic92/sops-nix/blob/master/modules/home-manager/sops.nix
        sops = {
          defaultSopsFile = ../../keys/secrets.yaml;
          defaultSopsFormat = "yaml";
          age.sshKeyPaths = [ "${config.ssh.identityFile}" ];
        };

        home.packages = with pkgs; [
          my-sops
          (inputs.wrappers.lib.wrapPackage {
            binName = "ls-secrets";
            inherit pkgs;
            package = inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-eza;
            args = [
              "-T" "--follow-symlinks"
              "${config.xdg.configHome}/sops-nix/secrets"
            ];
          })
          
        ]
        ++ lib.optional (cfg.hostSecretFile != null) (inputs.wrappers.lib.wrapPackage {
          binName = "edit-secrets";
          inherit pkgs;
          package = my-sops;
          args = [ cfg.hostSecretFile ];
        });
      };
  };

  flake.wrappers.mySops = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
    options = {
      sshKey = lib.mkOption {
        type = lib.types.str;
        description = "String path to the SSH key to use for creating an AGE key at runtime";
      };
    };

    config = {
      # binName = "my-sops";
      package = config.pkgs.sops;
      extraPackages = with config.pkgs; [ coreutils ssh-to-age ];
      preHook = ''
        AGE_KEY=$(umask 077; mktemp)
        ssh-to-age -private-key -i ${config.sshKey} > "$AGE_KEY"
      '';
      flags."--config" = "${../../.sops.yaml}";
      postHook = ''
        rm "$AGE_KEY"
        echo "Removed $AGE_KEY"
      '';
    };
  });
}