{ config, lib, ... }:
let
  cfg = config.services.nginx;
in
{
  options.services.nginx.secrets = lib.mkOption {
    type = with lib.types; listOf (either str path);
    default = [ ];
    description = "Secrets to be copied to `/run/nginx/secrets/`";
  };

  config.systemd = lib.mkIf (lib.length cfg.secrets != 0) {
    services = {
      nginx-secrets = {
        description = "Secrets for nginx";
        wantedBy = [ "nginx.service" ];
        partOf = [ "nginx.service" ];
        serviceConfig.Type = "oneshot";

        script = ''
          rm -rf /run/nginx/secrets
          install -o ${cfg.user} -g ${cfg.group} -m 700 -d /run/nginx/secrets
        '' + lib.concatStrings (map
          (secret: ''
            install -o ${cfg.user} -g ${cfg.group} -m 600 ${toString secret} /run/nginx/secrets
          '')
          cfg.secrets);
      };
      nginx.after = [ "nginx-secrets.service" ];
    };
    paths.nginx-secrets = {
      wantedBy = [ "nginx-secrets.service" ];
      partOf = [ "nginx-secrets.service" ];
      pathConfig = {
        PathModified = "/var/src/secrets";
        Unit = "nginx-secrets.service";
      };
    };
  };
}