{ config, ... }:
{
  sops.secrets = {
    "kubernetes/ca/kubernetes/crt" = {
      owner = "kubernetes";
      group = "users";
      mode = "0440";
    };

    "kubernetes/ca/kubernetes/key" = {
      owner = "kubernetes";
      group = "users";
      mode = "0440";
    };

    "kubernetes/ca/front-proxy/crt" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };

    "kubernetes/ca/front-proxy/key" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };

    "kubernetes/ca/etcd/crt" = {
      owner = "etcd";
      group = "kubernetes";
      mode = "0440";
    };

    "kubernetes/ca/etcd/key" = {
      owner = "etcd";
      group = "kubernetes";
      mode = "0440";
    };

    "kubernetes/cert/apiserver/server/crt" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };

    "kubernetes/cert/apiserver/server/key" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };

    "kubernetes/cert/apiserver/etcd-client/crt" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };

    "kubernetes/cert/apiserver/etcd-client/key" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };

    "kubernetes/cert/apiserver/kubelet-client/crt" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };

    "kubernetes/cert/apiserver/kubelet-client/key" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };

    "kubernetes/cert/front-proxy/crt" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };

    "kubernetes/cert/front-proxy/key" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };

    "kubernetes/cert/etcd/server/crt" = {
      owner = "etcd";
      group = "kubernetes";
      mode = "0440";
    };

    "kubernetes/cert/etcd/server/key" = {
      owner = "etcd";
      group = "kubernetes";
      mode = "0440";
    };

    "kubernetes/cert/etcd/peer/crt" = {
      owner = "etcd";
      group = "kubernetes";
      mode = "0440";
    };

    "kubernetes/cert/etcd/peer/key" = {
      owner = "etcd";
      group = "kubernetes";
      mode = "0440";
    };

    "kubernetes/cert/sa/key" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };

    "kubernetes/cert/sa/pub" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };

    "kubernetes/cert/accounts/scheduler/crt" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };

    "kubernetes/cert/accounts/scheduler/key" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };

    "kubernetes/cert/accounts/controller-manager/crt" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };

    "kubernetes/cert/accounts/controller-manager/key" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };

    "kubernetes/cert/accounts/addon-manager/crt" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };

    "kubernetes/cert/accounts/addon-manager/key" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };

    "kubernetes/cert/accounts/proxy/crt" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };

    "kubernetes/cert/accounts/proxy/key" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };

    "kubernetes/cert/accounts/admin/crt" = {
      group = "kubernetes";
    };

    "kubernetes/cert/accounts/admin/key" = {
      group = "kubernetes";
    };

    "kubernetes/token/kubelet-bootstrap/token" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };

    "kubernetes/token/kubelet-bootstrap/csv" = {
      owner = "kubernetes";
      group = "kubernetes";
      mode = "0440";
    };
  };

  services.kubernetes = {
    cas = {
      kubernetes = {
        key = config.sops.secrets."kubernetes/ca/kubernetes/key".path;
        crt = config.sops.secrets."kubernetes/ca/kubernetes/crt".path;
      };

      frontProxy = {
        key = config.sops.secrets."kubernetes/ca/front-proxy/key".path;
        crt = config.sops.secrets."kubernetes/ca/front-proxy/crt".path;
      };

      etcd = {
        key = config.sops.secrets."kubernetes/ca/etcd/key".path;
        crt = config.sops.secrets."kubernetes/ca/etcd/crt".path;
      };
    };

    certs = {
      apiserver = {
        server = {
          key = config.sops.secrets."kubernetes/cert/apiserver/server/key".path;
          crt = config.sops.secrets."kubernetes/cert/apiserver/server/crt".path;
        };

        etcdClient = {
          key = config.sops.secrets."kubernetes/cert/apiserver/etcd-client/key".path;
          crt = config.sops.secrets."kubernetes/cert/apiserver/etcd-client/crt".path;
        };

        kubeletClient = {
          key = config.sops.secrets."kubernetes/cert/apiserver/kubelet-client/key".path;
          crt = config.sops.secrets."kubernetes/cert/apiserver/kubelet-client/crt".path;
        };
      };

      etcd = {
        server = {
          key = config.sops.secrets."kubernetes/cert/etcd/server/key".path;
          crt = config.sops.secrets."kubernetes/cert/etcd/server/crt".path;
        };

        peer = {
          key = config.sops.secrets."kubernetes/cert/etcd/peer/key".path;
          crt = config.sops.secrets."kubernetes/cert/etcd/peer/crt".path;
        };
      };

      frontProxy = {
        key = config.sops.secrets."kubernetes/cert/front-proxy/key".path;
        crt = config.sops.secrets."kubernetes/cert/front-proxy/crt".path;
      };

      serviceAccount = {
        private = config.sops.secrets."kubernetes/cert/sa/key".path;
        public = config.sops.secrets."kubernetes/cert/sa/pub".path;
      };

      accounts = {
        scheduler = {
          key = config.sops.secrets."kubernetes/cert/accounts/scheduler/key".path;
          crt = config.sops.secrets."kubernetes/cert/accounts/scheduler/crt".path;
        };

        controllerManager = {
          key = config.sops.secrets."kubernetes/cert/accounts/controller-manager/key".path;
          crt = config.sops.secrets."kubernetes/cert/accounts/controller-manager/crt".path;
        };

        addonManager = {
          key = config.sops.secrets."kubernetes/cert/accounts/addon-manager/key".path;
          crt = config.sops.secrets."kubernetes/cert/accounts/addon-manager/crt".path;
        };

        proxy = {
          key = config.sops.secrets."kubernetes/cert/accounts/proxy/key".path;
          crt = config.sops.secrets."kubernetes/cert/accounts/proxy/crt".path;
        };

        admin = {
          key = config.sops.secrets."kubernetes/cert/accounts/admin/key".path;
          crt = config.sops.secrets."kubernetes/cert/accounts/admin/crt".path;
        };
      };
    };

    kubelet.bootstrapToken = config.sops.secrets."kubernetes/token/kubelet-bootstrap/token".path;

    apiserver.bootstrapTokenFile = config.sops.secrets."kubernetes/token/kubelet-bootstrap/csv".path;
  };

  systemd.services = {
    kubelet.after = [ "sops-nix.service" ];
    kube-apiserver.after = [ "sops-nix.service" ];
    kube-controller-manager.after = [ "sops-nix.service" ];
    kube-scheduler.after = [ "sops-nix.service" ];
    kube-proxy.after = [ "sops-nix.service" ];
    kube-addon-manager.after = [ "sops-nix.service" ];
    etcd.after = [ "sops-nix.service" ];
  };
}