{ pkgs ? import <nixpkgs> {}
, gpgKey
}:

with pkgs.lib;
let
  loadYaml = import ./load-yaml.nix { inherit pkgs; };

  decryptMessage = x:
      if gpgKey == null
    then "encrypted"
    else
      builtins.readFile (
        pkgs.runCommandLocal "decrypted-salt-value" {
          nativeBuildInputs = [ pkgs.gnupg ];
        } ''
          export GNUPGHOME=$(mktemp -d)
          gpg --import ${gpgKey}
          gpg -d > $out << EOF
          ${x}
          EOF
        ''
      );

  decrypt = x:
    if builtins.isString x
    then if builtins.substring 0 27 x == "-----BEGIN PGP MESSAGE-----"
         then decryptMessage x
         else x
    else if builtins.isList x
    then map decrypt x
    else if builtins.isAttrs x
    then builtins.mapAttrs (_: decrypt) x
    else x;

  loadSls = files:
    decrypt (
      builtins.foldl' (result: filename:
        recursiveUpdate result (loadYaml filename)
      ) {} files
    );
in

files:
if builtins.isList files
then loadSls files
else loadSls [ files ]