{pkgs, ...}: {
  services.secrets = {
    enable = true;

    vaultLogin = {
      enable = true;
      loginUsername = "hetzner-arm-container-storage";
    };

    requiredVaultPaths = [
      "api-keys/data/storage/webdav/Public"
      "api-keys/data/storage/webdav/Uploads"
    ];

    packages = with pkgs; [
      apacheHttpd
    ];

    extraFunctions = ''
      simple_get_htpasswd() {
        if [ -f "$2" ]; then
          rm "$2"
        fi

        touch "$2"

        data=$(kv_get "$1" | base64)
        for username in $(echo "$data" | base64 -d | jq -r ".data.data | keys | .[]"); do
          password=$(echo "$data" | base64 -d | jq -r ".data.data.\"$username\"")
          htpasswd -b "$2" "$username" "$password" 2>/dev/null
        done
      }
    '';

    secrets = {
      vault_password = {
        manual = true;
      };

      webdav_public_htpasswd = {
        user = "storage";
        group = "storage";
        fetchScript = ''
          simple_get_htpasswd "/api-keys/storage/webdav/Notes" "$secretFile"
        '';
      };

      webdav_uploads_htpasswd = {
        user = "storage";
        group = "storage";
        fetchScript = ''
          simple_get_htpasswd "/api-keys/storage/webdav/Uploads" "$secretFile"
        '';
      };

      rclone_config = {
        user = "storage";
        group = "storage";
        manual = true;
      };
    };
  };
}