{
  pkgs,
  config,
  ...
}: let
  secrets = config.services.secrets.secrets;
in {
  systemd.services.auto-secrets = {
    wantedBy = ["multi-user.target"];
    after = ["network.target"];
    path = with pkgs; [bash vault-bin getent];
    script = let
      vault_username = "storage";
      vault_password_file = "${secrets.vault_password.path}";
    in ''
      VAULT_ADDR="https://vault.owo.monster" \
        vault login -no-print -method=userpass username=${vault_username} password=$(cat ${vault_password_file})
      /run/current-system/sw/bin/secrets-init
    '';
  };
}