{
  pkgs,
  config,
  lib,
  ...
}:
with lib;
let
  cfg = config.xyno.secrets;
  json = builtins.toJSON cfg;

in
{
  options.xyno.secret-output = lib.mkOption {
    type = types.str;
  };
  options.xyno.secrets = mkOption {
    type = types.attrsOf (
      types.submodule {
        options = {
          random = mkOption {
            type = types.nullOr types.int;
            default = null;
            description = ''
              have the secret be a random hex string with n bytes
            '';
          };
          ageFile = mkOption {
            type = types.nullOr types.str;
            default = null;
            description = ''
              have the secret be a age encrypted file
            '';
          };
          command = mkOption {
            type = types.nullOr types.str;
            default = null;
            description = ''
              have the secret be the output of a command (impure grrrrr)
            '';
          };
        };
      }
    );
  };
  config = {
    systemd.tpm2.enable = true;
    boot.initrd.systemd.tpm2.enable = true;
    # TODO: ensure secrets are loaded in activation script

    xyno.secret-output = pkgs.writeFile "xyno-secret.json" json;
    environment.systemPackages = [
      pkgs.openssl # needed for random secrets
    ];
  };
}