nixos-config/home/base/secrets/secrets.nix

# Password store and secrets management via pass-wayland with OTP and import extensions.
{
  config,
  lib,
  pkgs,
  ...
}:
with lib; let
  cfg = config.base.secrets;
in {
  # Enabled by default — base modules are always-on.
  options.base.secrets.enable = (mkEnableOption "enable secrets management") // {default = true;};

  config = mkIf cfg.enable {
    programs.password-store = {
      enable = true;
      package =
        pkgs.pass-wayland.withExtensions
        (exts: [exts.pass-otp exts.pass-import]);
      settings = {PASSWORD_STORE_DIR = "$XDG_DATA_HOME/password-store";};
    };
    home.packages = [pkgs.pinentry-gnome3];
  };
}