{ config, lib, ... }: let
	credential = "config";
in {
	# Config for ddns-updater, owned by the ddns-updater systemd service user
	sops.secrets.ddns-updater-config.sopsFile = ./resources/secrets/ddns-updater-config.yaml;

	# Load secret as a credential in systemd service
	systemd.services.ddns-updater.serviceConfig = {
		LoadCredential = [
			"${credential}:${config.sops.secrets.ddns-updater-config.path}"
		];
	};

	# Enable ddns updater
	services.ddns-updater = {
		enable = true;
		environment = {
			SERVER_ENABLED="no";
			CONFIG_FILEPATH = "%d/${credential}";
		};
	};
}