{pkgs, ...}: {
  services.secrets = {
    enable = true;

    vaultLogin = {
      enable = true;
      loginUsername = "hetzner-arm";
    };

    autoSecrets = {
      enable = true;
      #affectedSystemdServices = [
      #  "wg-quick-wg0"
      #];
    };

    requiredVaultPaths = [
      "api-keys/data/gitlab/gitlab_pages_serve"
    ];

    secrets = {
      vault_password = {
        manual = true;
      };

      # Used directly by server
      # for fetching gitlab static sites
      gitlab_env = {
        user = "gitlab_artifacts_sync";
        group = "gitlab_artifacts_sync";
        fetchScript = ''
          token=$(simple_get "/api-keys/gitlab/gitlab_pages_serve" .token)
          echo "GITLAB_TOKEN=$token" > "$secretFile"
        '';
      };
    };
  };
}