{pkgs, ...}: {
  services.secrets = {
    enable = true;

    packages = with pkgs; [rclone];

    vaultLogin = {
      enable = true;
      loginUsername = "raspberry";
    };

    autoSecrets = {
      enable = true;
      affectedSystemdServices = ["wg-quick-wg0" "cockroachdb"];
    };

    extraFunctions = ''
      simple_get_obscure() {
        rclone obscure "$(simple_get "$@")"
      }
    '';

    requiredVaultPaths = [
      "private-public-keys/data/piped-cockroachdb-ca/nodes/raspberry"
      "private-public-keys/data/cryptsetup/raspberry-ext-drive" # used dynamically
      "private-public-keys/data/wireguard/chaos-internal/raspberry"
      "passwords/data/wifi/parentals-home"
      "api-keys/data/hetzner/storagebox" # also used dynamically
    ];

    secrets = {
      # Used for fetching the encryption drive's key at runtime
      # can be revoked in case of hardware theft
      # Can also run vault-login on host before secrets-init to fetch secrets using raspberry's login
      vault_password = {
        manual = true;
      };

      piped_cockroachdb_ca_certificate = {
        user = "cockroachdb";
        group = "cockroachdb";
        permissions = "600";
        path = "/var/lib/cockroachdb-certs/ca.crt";
        fetchScript = ''
          if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
            mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
          fi
          simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .ca_certificate \
            | base64 -d > "$secretFile"
        '';
      };
      piped_cockroachdb_node_certificate = {
        user = "cockroachdb";
        group = "cockroachdb";
        permissions = "600";
        path = "/var/lib/cockroachdb-certs/node.crt";
        fetchScript = ''
          if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
            mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
          fi
          simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_certificate \
            | base64 -d > "$secretFile"
        '';
      };
      piped_cockroachdb_node_key = {
        user = "cockroachdb";
        group = "cockroachdb";
        permissions = "600";
        path = "/var/lib/cockroachdb-certs/node.key";
        fetchScript = ''
          if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
            mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
          fi
          simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_key \
            | base64 -d > "$secretFile"
        '';
      };

      # for internal wireguard VPN
      wg_priv = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/raspberry" .private > "$secretFile"
        '';
      };
      wg_preshared_hetzner-vm = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/raspberry" .preshared_keys.hetzner_vm > "$secretFile"
        '';
      };
      wg_preshared_vault = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/raspberry" .preshared_keys.vault > "$secretFile"
        '';
      };
    };
  };
}