{
  config,
  lib,
  pkgs,
  ...
}:

with lib;

let
  cat = "${pkgs.coreutils}/bin/cat";
  sed = "${pkgs.gnused}/bin/sed";

  cfg = config.custom.services.agenix;
in
{
  options.custom.services.agenix.enable = mkOption { default = false; };

  config.home-manager.users.${config.custom.username} = mkIf cfg.enable {
    xdg.configFile."hypr/hyprland.conf".force = true;

    # Replace placeholders with secrets after agenix user service starts
    systemd.user.services.secrets = {
      Unit = {
        Description = "Replace agenix secrets in-place";
        After = "agenix.service";
      };

      Service = {
        ExecStart = pkgs.writeShellScript "secrets" ''
          file="${config.custom.homeDirectory}/.config/hypr/hyprland.conf"

          ${sed} -i "s|@BW_CLIENTID@|$(${cat} ${
            config.age.secrets."desktop/bitwarden/client_id".path
          })|" "$file"
          ${sed} -i "s|@BW_CLIENTSECRET@|$(${cat} ${
            config.age.secrets."desktop/bitwarden/client_secret".path
          })|" "$file"
        '';
      };

      Install = {
        WantedBy = [ "default.target" ];
      };
    };
  };
}