{ pkgs, ... }:
let secrets-db = (import ./secrets-db.nix { });
in {
  systemd.tmpfiles.rules = [ "d /secrets - root root" ];
  environment.systemPackages = [
    (pkgs.writeShellScriptBin "init-secrets" ''
      set -e -o pipefail

      VAULT_ADDR_DEFAULT="https://vault.owo.monster"
      [ -n "$VAULT_ADDR" ] && export VAULT_ADDR="$VAULT_ADDR_DEFAULT"

      export PATH=$PATH:${pkgs.vault}/bin
      export PATH=$PATH:${pkgs.jq}/bin
      export PATH=$PATH:${pkgs.apacheHttpd}/bin

      kv_get() {
        vault kv get -format json $1
      }

      simple_get() {
        kv_get $1 | jq .data.data$2 -r
      }

      file=${secrets-db.restic_hetznervm_htpasswd.path}
      echo $file
      username=$(simple_get "/api-keys/storage/restic/HetznerVM" .username)
      password=$(simple_get "/api-keys/storage/restic/HetznerVM" .password)
      htpasswd -bc $file "$username" "$password"
      chown ${secrets-db.restic_hetznervm_htpasswd.user}:${secrets-db.restic_hetznervm_htpasswd.group} $file
      chmod ${secrets-db.restic_hetznervm_htpasswd.permissions} $file

      file=${secrets-db.restic_music_htpasswd.path}
      echo $file
      username=$(simple_get "/api-keys/storage/restic/Music" .username)
      password=$(simple_get "/api-keys/storage/restic/Music" .password)
      htpasswd -bc $file "$username" "$password"
      chown ${secrets-db.restic_music_htpasswd.user}:${secrets-db.restic_music_htpasswd.group} $file
      chmod ${secrets-db.restic_music_htpasswd.permissions} $file

      file=${secrets-db.restic_vault_htpasswd.path}
      echo $file
      username=$(simple_get "/api-keys/storage/restic/Vault" .username)
      password=$(simple_get "/api-keys/storage/restic/Vault" .password)
      htpasswd -bc $file "$username" "$password"
      chown ${secrets-db.restic_vault_htpasswd.user}:${secrets-db.restic_vault_htpasswd.group} $file
      chmod ${secrets-db.restic_vault_htpasswd.permissions} $file

      file=${secrets-db.webdav_htpasswd.path}
      echo $file
      username=$(simple_get "/api-keys/storage/webdav" .username)
      password=$(simple_get "/api-keys/storage/webdav" .password)
      htpasswd -bc $file "$username" "$password"
      chown ${secrets-db.webdav_htpasswd.user}:${secrets-db.webdav_htpasswd.group} $file
      chmod ${secrets-db.webdav_htpasswd.permissions} $file

      file=${secrets-db.vault_password.path}
      echo $file
      simple_get "/vault-users/storage" .password > $file
      chown ${secrets-db.vault_password.user}:${secrets-db.vault_password.group} $file
      chmod ${secrets-db.vault_password.permissions} $file
    '')
  ];
}