{ lib, ... }:
{
  mkOption =
    { description,
      mode ? "0400",
      owner ? "root",
      group ? "root",
      restartUnits ? [],
    }: lib.mkOption {
      inherit description;

      type = lib.types.submodule {
        options = {
          request = lib.mkOption {
            default = {
              inherit mode owner group restartUnits;
            };

            readOnly = true;

            description = ''
              Options set by the requester module
              enforcing some properties the secret should have.

              Use the `contracts.secret.mkOption` function to
              create a secret option for a requester module.
              See the [requester usage section](contracts-secret.html#secret-contract-usage-requester) for an example.

              Some providers will need more options to be defined and this is allowed.
              These extra options will be set by the user.
              For example, the `sops` implementation requires to be given
              the sops key in which the secret is encrypted.

              `request` options are set read-only
              because they must be set through option defaults,
              they shouldn't be changed in the `config` section.
              This would otherwise lead to infinite recursion
              during evaluation.
              This is handled automatically when using the `contracts.secret.mkOption` function.
            '';
            type = lib.types.submodule {
              freeformType = lib.types.anything;

              options = {
                mode = lib.mkOption {
                  description = ''
                    Mode of the secret file.
                  '';
                  type = lib.types.str;
                  default = mode;
                };

                owner = lib.mkOption {
                  description = ''
                    Linux user owning the secret file.
                  '';
                  type = lib.types.str;
                  default = owner;
                };

                group = lib.mkOption {
                  description = ''
                    Linux group owning the secret file.
                  '';
                  type = lib.types.str;
                  default = group;
                };

                restartUnits = lib.mkOption {
                  description = ''
                    Systemd units to restart after the secret is updated.
                  '';
                  type = lib.types.listOf lib.types.str;
                  default = restartUnits;
                };
              };
            };
          };

          result = lib.mkOption {
            description = ''
              Options set by the provider module that indicates where the secret can be found.
            '';
            type = lib.types.submodule {
              options = {
                path = lib.mkOption {
                  type = lib.types.path;
                  description = ''
                    Path to the file containing the secret generated out of band.

                    This path will exist after deploying to a target host,
                    it is not available through the nix store.
                  '';
                };
              };
            };
          };
        };
      };
    };
}