{pkgs, ...}: { services.secrets = { enable = true; packages = with pkgs; [rclone]; vaultLogin = { enable = true; loginUsername = "raspberry"; }; autoSecrets = { enable = true; affectedSystemdServices = ["wg-quick-wg0" "cockroachdb"]; }; extraFunctions = '' simple_get_obscure() { rclone obscure "$(simple_get "$@")" } ''; requiredVaultPaths = [ "private-public-keys/data/piped-cockroachdb-ca/nodes/raspberry" ]; secrets = { vault_password = { manual = true; }; piped_cockroachdb_ca_certificate = { user = "cockroachdb"; group = "cockroachdb"; permissions = "600"; path = "/var/lib/cockroachdb-certs/ca.crt"; fetchScript = '' if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then mkdir -p "$SYSROOT/var/lib/cockroachdb-certs" fi simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .ca_certificate \ | base64 -d > "$secretFile" ''; }; piped_cockroachdb_node_certificate = { user = "cockroachdb"; group = "cockroachdb"; permissions = "600"; path = "/var/lib/cockroachdb-certs/node.crt"; fetchScript = '' if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then mkdir -p "$SYSROOT/var/lib/cockroachdb-certs" fi simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_certificate \ | base64 -d > "$secretFile" ''; }; piped_cockroachdb_node_key = { user = "cockroachdb"; group = "cockroachdb"; permissions = "600"; path = "/var/lib/cockroachdb-certs/node.key"; fetchScript = '' if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then mkdir -p "$SYSROOT/var/lib/cockroachdb-certs" fi simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_key \ | base64 -d > "$secretFile" ''; }; }; }; }