{pkgs, ...}: {
  services.secrets = {
    enable = true;

    packages = with pkgs; [rclone];

    extraFunctions = ''
      simple_get_obscure() {
        rclone obscure "$(simple_get "$@")"
      }
    '';

    requiredVaultPaths = [
      "private-public-keys/data/piped-cockroachdb-ca/nodes/raspberry"
      "private-public-keys/data/cryptsetup/raspberry-ext-drive" # used dynamically
      "private-public-keys/data/wireguard/chaos-internal/raspberry"
      "passwords/data/wifi/parentals-home"
      "api-keys/data/hetzner/storagebox" # also used dynamically
    ];

    secrets = {
      # Used for fetching the encryption drive's key at runtime
      # can be revoked in case of hardware theft
      # Can also run vault-login on host before secrets-init to fetch secrets using raspberry's login
      vault_login_password = {
        manual = true;
      };

      home-wifi-password = {
        user = "root";
        group = "root";
        permissions = "600";
        path = "/etc/NetworkManager/system-connections/Home-WiFi.nmconnection";

        fetchScript = ''
          ssid=$(simple_get "/passwords/wifi/parentals-home" .ssid)
          password=$(simple_get "/passwords/wifi/parentals-home" .password)

          # Create path to if doesn't exist, useful for when using secrets-init on another host
          if [ ! -d "$SYSROOT/etc/NetworkManager/system-connections" ]; then
            mkdir -p "$SYSROOT/etc/NetworkManager/system-connections"
          fi

          cp ${./data/wifi-nmconnection.template} "$secretFile"
          sed -i "s/WIFI_ID/Home-WiFi/" "$secretFile"
          sed -i "s/WIFI_SSID/$ssid/" "$secretFile"
          sed -i "s/WIFI_PASSWORD/$password/" "$secretFile"
        '';
      };

      piped_cockroachdb_ca_certificate = {
        user = "cockroachdb";
        group = "cockroachdb";
        permissions = "600";
        path = "/var/lib/cockroachdb-certs/ca.crt";
        fetchScript = ''
          if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
            mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
          fi
          simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .ca_certificate \
            | base64 -d > "$secretFile"
        '';
      };
      piped_cockroachdb_node_certificate = {
        user = "cockroachdb";
        group = "cockroachdb";
        permissions = "600";
        path = "/var/lib/cockroachdb-certs/node.crt";
        fetchScript = ''
          if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
            mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
          fi
          simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_certificate \
            | base64 -d > "$secretFile"
        '';
      };
      piped_cockroachdb_node_key = {
        user = "cockroachdb";
        group = "cockroachdb";
        permissions = "600";
        path = "/var/lib/cockroachdb-certs/node.key";
        fetchScript = ''
          if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
            mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
          fi
          simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_key \
            | base64 -d > "$secretFile"
        '';
      };

      # for internal wireguard VPN
      wg_priv = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/raspberry" .private > "$secretFile"
        '';
      };
      wg_preshared_hetzner-vm = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/raspberry" .preshared_keys.hetzner_vm > "$secretFile"
        '';
      };
      wg_preshared_vault = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/raspberry" .preshared_keys.vault > "$secretFile"
        '';
      };
    };
  };
}