{...}: {
  services.secrets = {
    enable = true;
    secrets = {
      usb_encryption_passphrase = {manual = true;};

      music_stream_password = {
        user = 1000;
        group = "users";
        fetchScript = ''
          simple_get "/api-keys/music-stream" .password > "$secretFile"
        '';
      };

      # Required for home.apps.manual-backup-apps
      gitlab_archiver_token = {
        user = "chaos";
        group = "users";

        fetchScript = ''
          simple_get "/api-keys/gitlab/gitlab_archiver" .token > "$secretFile"
        '';
      };

      # Required for home.apps.manual-backup-apps
      restic_music_env = {
        user = "chaos";
        group = "users";

        fetchScript = ''
          api_username=$(simple_get "/api-keys/storage/restic/Music" .username)
          api_password=$(simple_get "/api-keys/storage/restic/Music" .password)
          restic_password=$(simple_get "/private-public-keys/restic/Music" .password)

          echo > "$secretFile"
          echo "RESTIC_REPOSITORY=rest:https://''${api_username}:''${api_password}@storage-restic.owo.monster/Music" >> "$secretFile"
          echo "RESTIC_PASSWORD=''${restic_password}" >> "$secretFile"
        '';
      };

      # for internal wireguard VPN
      wg_priv = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/lappy-t495" .private > "$secretFile"
        '';
      };
      wg_preshared_hetzner-vm = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/lappy-t495" .preshared_keys.hetzner_vm > "$secretFile"
        '';
      };
      wg_preshared_vault = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/lappy-t495" .preshared_keys.vault > "$secretFile"
        '';
      };
    };
  };
}