{pkgs, ...}: {
  services.secrets = {
    enable = true;

    vaultLogin = {
      enable = true;
      loginUsername = "hetzner-arm-container-music";
    };

    autoSecrets = {
      enable = true;
    };

    requiredVaultPaths = [
      "api-keys/data/mpd"
      "api-keys/data/music-stream"
      "passwords/data/soulseek"
      "passwords/data/slskd"
    ];

    packages = with pkgs; [
      apacheHttpd
    ];

    secrets = {
      vault_password = {
        manual = true;
      };

      mpd_control_password = {
        user = "mpd";
        group = "mpd";
        fetchScript = ''
          simple_get "/api-keys/mpd" .password > "$secretFile"
        '';
      };
      music_stream_passwd = {
        user = "nginx";
        group = "nginx";
        fetchScript = ''
          username=$(simple_get "/api-keys/music-stream" .username)
          password=$(simple_get "/api-keys/music-stream" .password)
          htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null
        '';
      };
      slskd_env = {
        fetchScript = ''
          soulseek_password=$(simple_get "/passwords/soulseek" .password)
          slskd_password=$(simple_get "/passwords/slskd" .password)
          echo > "$secretFile"
          echo "SLSKD_SLSK_PASSWORD=$soulseek_password" >> "$secretFile"
          echo "SLSKD_PASSWORD=$slskd_password" >> "$secretFile"
        '';
      };
    };
  };
}