{ pkgs ? import <nixpkgs> {}
, gpgKey
}:

with pkgs.lib;
let
  loadYaml = import ./load-yaml.nix { inherit pkgs; };

  decryptMessage =     builtins.trace gpgKey
    (x:
      if gpgKey == null
    then "encrypted"
    else
      builtins.readFile (
        pkgs.runCommandLocal "decrypted-salt-value" {
          nativeBuildInputs = [ pkgs.gnupg ];
        } ''
          export GNUPGHOME=$(mktemp -d)
          gpg --import ${gpgKey}
          gpg -d > $out << EOF
          ${x}
          EOF
        ''
      ));

  decrypt = x:
    if builtins.isString x
    then if builtins.substring 0 27 x == "-----BEGIN PGP MESSAGE-----"
         then decryptMessage x
         else x
    else if builtins.isList x
    then map decrypt x
    else if builtins.isAttrs x
    then builtins.mapAttrs (_: decrypt) x
    else x;

in
decrypt (
  builtins.foldl' (result: filename:
    recursiveUpdate result (loadYaml filename)
  ) {} (filesystem.listFilesRecursive ../../../../salt-pillar)
)