{
  config,
  lib,
  pkgs,
  inputs,
  ...
}:
{
  imports = [
    inputs.agenix.nixosModules.default
  ];

  # Configure all agenix secrets
  age.secrets = {
    # ZFS encryption key
    # path is set to /etc/zfs-key to match the ZFS dataset keylocation property
    zfs-key = {
      file = ../secrets/zfs-key.age;
      mode = "0400";
      owner = "root";
      group = "root";
      path = "/etc/zfs-key";
    };

    # Secureboot keys archive
    secureboot-tar = {
      file = ../secrets/secureboot.tar.age;
      mode = "0400";
      owner = "root";
      group = "root";
    };

    # System passwords
    hashedPass = {
      file = ../secrets/hashedPass.age;
      mode = "0400";
      owner = "root";
      group = "root";
    };

    # Service authentication
    caddy_auth = {
      file = ../secrets/caddy_auth.age;
      mode = "0400";
      owner = "caddy";
      group = "caddy";
    };

    jellyfin-api-key = {
      file = ../secrets/jellyfin-api-key.age;
      mode = "0400";
      owner = "root";
      group = "root";
    };

    slskd_env = {
      file = ../secrets/slskd_env.age;
      mode = "0500";
      owner = config.services.slskd.user;
      group = config.services.slskd.group;
    };

    # Network configuration
    wg0-conf = {
      file = ../secrets/wg0.conf.age;
      mode = "0400";
      owner = "root";
      group = "root";
    };

    # ntfy-alerts secrets (group-readable for CI runner notifications)
    ntfy-alerts-topic = {
      file = ../secrets/ntfy-alerts-topic.age;
      mode = "0440";
      owner = "root";
      group = "gitea-runner";
    };

    ntfy-alerts-token = {
      file = ../secrets/ntfy-alerts-token.age;
      mode = "0440";
      owner = "root";
      group = "gitea-runner";
    };

    # Firefox Sync server secrets (SYNC_MASTER_SECRET)
    firefox-syncserver-env = {
      file = ../secrets/firefox-syncserver-env.age;
      mode = "0400";
    };

    # MollySocket env (MOLLY_VAPID_PRIVKEY + MOLLY_ALLOWED_UUIDS)
    mollysocket-env = {
      file = ../secrets/mollysocket-env.age;
      mode = "0400";
    };

    # Murmur (Mumble) server password
    murmur-password-env = {
      file = ../secrets/murmur-password-env.age;
      mode = "0400";
      owner = "murmur";
      group = "murmur";
    };

    # Coturn static auth secret
    coturn-auth-secret = {
      file = ../secrets/coturn-auth-secret.age;
      mode = "0400";
      owner = "turnserver";
      group = "turnserver";
    };

    # Matrix (continuwuity) registration token
    matrix-reg-token = {
      file = ../secrets/matrix-reg-token.age;
      mode = "0400";
      owner = "continuwuity";
      group = "continuwuity";
    };

    # Matrix (continuwuity) TURN secret — same secret as coturn-auth-secret,
    # decrypted separately so continuwuity can read it with its own ownership
    matrix-turn-secret = {
      file = ../secrets/coturn-auth-secret.age;
      mode = "0400";
      owner = "continuwuity";
      group = "continuwuity";
    };

    # CI deploy SSH key
    ci-deploy-key = {
      file = ../secrets/ci-deploy-key.age;
      mode = "0400";
      owner = "gitea-runner";
      group = "gitea-runner";
    };

    # Git-crypt symmetric key for dotfiles repo
    git-crypt-key-dotfiles = {
      file = ../secrets/git-crypt-key-dotfiles.age;
      mode = "0400";
      owner = "root";
      group = "root";
    };

    # Git-crypt symmetric key for server-config repo
    git-crypt-key-server-config = {
      file = ../secrets/git-crypt-key-server-config.age;
      mode = "0400";
      owner = "gitea-runner";
      group = "gitea-runner";
    };

    # Gitea Actions runner registration token
    gitea-runner-token = {
      file = ../secrets/gitea-runner-token.age;
      mode = "0400";
      owner = "gitea-runner";
      group = "gitea-runner";
    };
  };
}