{...}: {
  services.secrets = {
    enable = true;

    vaultLogin = {
      enable = true;
      loginUsername = "hetzner-arm";
    };

    autoSecrets = {
      enable = true;
      affectedSystemdServices = [
        "wg-quick-wg0"
      ];
    };

    requiredVaultPaths = [
      "private-public-keys/data/ssh/root@hetzner-arm"
      "private-public-keys/data/ssh/root@hetzner-arm-decrypt"
    ];

    secrets = {
      vault_password = {
        manual = true;
      };

      ssh_host_ed25519_key = {
        path = "/etc/ssh/ssh_host_ed25519_key";
        permissions = "600";
        fetchScript = ''
          [ ! -d "$SYSROOT/etc/ssh" ] && mkdir -p "$SYSROOT/etc/ssh/"
          simple_get "/private-public-keys/ssh/root@hetzner-arm" .private | base64 -d > "$secretFile"
        '';
      };
      ssh_host_ed25519_key_pub = {
        path = "/etc/ssh/ssh_host_ed25519_key.pub";
        permissions = "600";
        fetchScript = ''
          [ ! -d "$SYSROOT/etc/ssh" ] && mkdir -p "$SYSROOT/etc/ssh/"
          simple_get "/private-public-keys/ssh/root@hetzner-arm" .private | base64 -d > "$secretFile"
        '';
      };

      # this doesn't need to be a secret and can be generated at install time
      # but it makes it easier to install.
      # it's stored in /nix store anyway
      initrd_ssh_host_ed25519_key = {
        path = "/initrd_ssh_host_ed25519_key";
        permissions = "600";
        fetchScript = ''
          simple_get "/private-public-keys/ssh/root@hetzner-arm-decrypt" .private | base64 -d > "$secretFile"
        '';
      };
    };
  };
}