{
  description = "Manage local secrets for Nix configurations";

  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-20.09";

  outputs = { self, nixpkgs }:
    let
      supportedSystems = [ "x86_64-linux" "i686-linux" "aarch64-linux" ];
      forAllSystems = f: nixpkgs.lib.genAttrs supportedSystems (system: f system);
    in {
    nixosModules.localsecrets =
      { config, pkgs, lib, ... }:
      let
        types = lib.types;
        cfg = config.localsecrets;
        keyOpts = {name, ...}: {
          options = {
            generate = lib.mkOption {
              type = types.str;
            };
            generatePublic = lib.mkOption {
              type = types.nullOr types.str;
            };

            path = lib.mkOption {
              type = types.str;
              default = "/var/lib/localsecrets/${name}";
            };

            publicPath = lib.mkOption {
              type = types.str;
              default = ./. + "/public_keys/${name}";
            };
          };
        };
      in
      {
        options = {
          localsecrets = {
            enable = lib.mkEnableOption "Deploy localsecrets";
            secrets = lib.mkOption {
              type = types.attrsOf (types.submodule keyOpts);
              default = [];
            };
          };
        };

        config = {
          environment.systemPackages = [
            (
              pkgs.writeScriptBin "localsecrets" ''
                echo "Secrets I know about:"
                ${lib.concatMapStrings (secret: "echo ${secret.path}\n") (lib.attrValues cfg.secrets)}
              ''
            )
          ];
        };
      };

    checks = forAllSystems (system: {
      test =
        let
          testing = import (nixpkgs + "/nixos/lib/testing-python.nix") {
            inherit system;
          };
        in
          testing.makeTest {
            nodes.client = { ... }: {
              imports = [ self.nixosModules.localsecrets ];
              localsecrets.enable = true;
              localsecrets.secrets.test-secret = {
                generate = "echo hello";
                generatePublic = "echo world";
              };
            };

            testScript = ''
              start_all()
              client.succeed("localsecrets")
            '';
          };
    });

    nixosConfigurations.container =
      nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [
          self.nixosModules.localsecrets
          ({...}:
            {
              localsecrets.secrets = [ "my-test-secret" ];
              boot.isContainer = true;
            }
          )
        ];
      };

  };
}