{pkgs, ...}: {
  services.secrets = {
    enable = true;

    packages = with pkgs; [
      apacheHttpd
    ];

    vaultLogin = {
      enable = true;
      # TODO: change to hetzner-arm-container-vault-ca
      loginUsername = "vault";
    };

    autoSecrets = {
      enable = true;
    };

    requiredVaultPaths = [
      "private-public-keys/data/restic/Vault"

      "api-keys/data/storage/restic/Vault"

      "infra/data/internalCAPassword"
    ];

    secrets = {
      vault_password = {
        manual = true;
      };

      restic_password = {
        fetchScript = ''
          simple_get "/private-public-keys/restic/Vault" .password > "$secretFile"
        '';
      };
      restic_env = {
        fetchScript = ''
          RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Vault" .restic)
          echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > "$secretFile"
        '';
      };

      internal_ca_password = {
        fetchScript = ''
          simple_get "/infra/internalCAPassword" .password > "$secretFile"
        '';
      };
    };
  };
}