{...}: {
  services.secrets = {
    enable = true;

    vaultLogin = {
      enable = true;
      loginUsername = "hetzner-arm-container-social";
    };

    autoSecrets = {
      enable = true;
    };

    requiredVaultPaths = [
      "private-public-keys/data/restic/Social"

      "api-keys/data/storage/restic/Social"

      "api-keys/data/chaos_mail/gotosocial"
    ];

    secrets = {
      vault_password = {
        manual = true;
      };

      restic_password = {
        fetchScript = ''
          simple_get "/private-public-keys/restic/Social" .password > "$secretFile"
        '';
      };
      restic_env = {
        fetchScript = ''
          RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Social" .username)
          RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Social" .password)
          echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Social" > "$secretFile"
        '';
      };
      env_secrets = {
        fetchScript = ''
          smtp_password=$(simple_get "/api-keys/chaos_mail/gotosocial" .password)
          echo "GTS_SMTP_PASSWORD=$smtp_password" > "$secretFile"
        '';
      };
    };
  };
}