{...}: {
  services.secrets = {
    enable = true;

    vaultLogin = {
      enable = true;
      loginUsername = "raspberry";
    };

    # some are also added from wireguard internal config
    requiredVaultPaths = [
      "private-public-keys/data/cryptsetup/raspberry-ext-drive" # used dynamically

      "api-keys/data/hetzner/storagebox" # also used dynamically
    ];

    secrets = {
      vault_password = {
        manual = true;
      };
    };
  };
}