{
  lib,
  config,
  pkgs,
  stdenv,
  options,
  ...
}: {
  config = with lib; let
    secretFiles = mapAttrsToList (_: x: x.file) config.rekey.secrets;
    drv = import ./rekey-drv.nix pkgs config;
  in
    mkIf (config.rekey.secrets != {}) {
      age = {
        secrets = let
          secretPath = "${drv}/";
          newPath = x: "${secretPath}/${x}.age";
        in
          mapAttrs (name: value: value // {file = newPath name;}) config.rekey.secrets;
      };
      warnings = optional (! pathExists (removeSuffix ".drv" drv.drvPath)) ''
           Rekeyed secrets not available.
        Maybe you forgot to run "nix run '.#rekey'" to rekey them?
      '';
    };

  options = with lib; {
    rekey.secrets = options.age.secrets;
    rekey.pubKey = mkOption {
      type = types.either types.path types.str;
      description = ''
        The age public key set as a recipient when rekeying.
        either a path to a public key file or a string public key
        **NEVER set this to a private key part**
        ~~This will end up in the nix store.~~
      '';
      example = /etc/ssh/ssh_host_ed25519_key.pub;
    };

    rekey.masterIdentityPaths = mkOption {
      type = types.listOf types.path;
      description = ''
        A list of Identities used for decrypting your secrets before rekeying.
        **WARING this will end up in the nix-store**
        Only use yubikeys or password encrypted age keys
      '';
    };

    rekey.plugins = mkOption {
      type = types.listOf types.package;
      default = [];
      description = ''
        A list of plugins that should be available in your path when rekeying.
      '';
      example = [pkgs.age-plugin-yubikey];
    };
  };
}