{ lib, config, hostName ,... }:

let
  cfg = config.nix.includeAccessTokens;
in {
  options = {
    nix.includeAccessTokens.enable = lib.mkEnableOption "including access tokens in nix.conf" // { default = lib.elem hostName ["sif" "surtr" "vidhar"]; };
  };

  config = lib.mkIf cfg.enable {
    nix = {
      extraOptions = ''
        !include ${config.sops.secrets.nixAccessTokens.path}
      '';
    };

    sops.secrets.nixAccessTokens = {
      format = "binary";
      sopsFile = ./nix.conf;
      mode = "0440";
      group = "wheel";
    };
  };
}