{config, ...}: let
  currentHostName = config.networking.hostName;
in {
  services.secrets = {
    enable = true;

    requiredVaultPaths = [
      "private-public-keys/data/wireguard/chaos-internal/${currentHostName}"
    ];

    secrets = {
      wg_public = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/${currentHostName}" .public > "$secretFile"
        '';
      };
      wg_private = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/${currentHostName}" .private > "$secretFile"
        '';
      };
    };
  };
}