{ pkgs, ... }: {
  services.secrets = {
    enable = true;
    secrets = {
      usb_encryption_passphrase = { manual = true; };
      music_stream_password = {
        user = "chaos";
        group = "users";
        fetchScript = ''
          simple_get "/api-keys/music-stream" .password > $secretFile
        '';
      };
      wg_priv = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .private > $secretFile
        '';
      };
      wg_preshared_hetzner-vm = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.hetzner_vm > $secretFile
        '';
      };
      wg_preshared_vault = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.vault > $secretFile
        '';
      };
      wg_preshared_storage = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.storage > $secretFile
        '';
      };
      wg_harry_priv = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/harry/tablet" .private > $secretFile
        '';
      };
      wg_harry_preshared = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/harry/tablet" .preshared_keys.main > $secretFile
        '';
      };
    };
  };
}