{ config, lib, pkgs, ... }:

with lib;
let
  hostname = config.instance.hostname;
  has-secret-files = hasAttr "files" config.fudo.secrets;
  try-attr = attr: set: if (hasAttr attr set) then set.${attr} else null;

in {
  config = mkIf has-secret-files (let
    keytab-file = try-attr hostname config.fudo.secrets.files.host-keytabs;
  in {
    environment.etc."krb5.keytab" = mkIf (keytab-file != null) {
      source =
        config.fudo.secrets.host-secrets.${hostname}.host-keytab.target-file;
      user = "root";
      group = "root";
      mode = "0400";
    };

    fudo.secrets.host-secrets.${hostname}.host-keytab = mkIf (keytab-file != null) {
      source-file = keytab-file;
      target-file = "/run/kerberos/krb5.keytab";
      user = "root";
    };
  });
}