{ config, ... }:

{
  age.secrets.name = {
    file = ./secrets/name.age;
    owner = "specimen";
    group = "specimen";
    mode = "440";
  };

  services.specimen = {
    enable = true;

    listenAddress = "0.0.0.0";
    port = 4444;
    openFirewall = true;

    # we pass the entire agenix secret,
    # so we can see both the encrypted and the
    # decrypted path.
    nameSecret = config.age.secrets.name;
  };
}