infra/common/secrets.nix

## This is a simple secret abstraction with multi-tenancy awareness.
{ config, lib, ... }:
let
  cfg = config.bagel.secrets;
  inherit (lib) mkOption types genAttrs;
in
{
  options.bagel.secrets = {
    tenant = mkOption {
      type = types.enum [ "lix" "floral" ];
    };

    files = mkOption {
      type = types.listOf types.str;
      default = [ ];
    };
  };

  config.age.secrets = genAttrs cfg.files (secretFile: {
      file = ../secrets/${cfg.tenant}/${secretFile}.age;
    });
}