{...}: { services.secrets = { enable = true; vaultLogin = { enable = true; loginUsername = "hetzner-arm-container-piped-fi"; }; autoSecrets = { enable = true; }; requiredVaultPaths = [ "api-keys/data/storage/restic/Piped-Finland" "private-public-keys/data/piped-cockroachdb-ca/nodes/piped-fi" "private-public-keys/data/restic/Piped-Finland" ]; secrets = { vault_password = { manual = true; }; restic_password = { fetchScript = '' simple_get "/private-public-keys/restic/Piped-Finland" .password > "$secretFile" ''; }; restic_env = { fetchScript = '' RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Piped-Finland" .username) RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Piped-Finland" .password) echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Piped-Finland" > "$secretFile" ''; }; cockroachdb_ca_certificate = { user = "cockroachdb"; group = "cockroachdb"; permissions = "600"; path = "/var/lib/cockroachdb-certs/ca.crt"; fetchScript = '' simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/piped-fi" .ca_certificate \ | base64 -d > "$secretFile" ''; }; cockroachdb_node_certificate = { user = "cockroachdb"; group = "cockroachdb"; permissions = "600"; path = "/var/lib/cockroachdb-certs/node.crt"; fetchScript = '' simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/piped-fi" .node_certificate \ | base64 -d > "$secretFile" ''; }; cockroachdb_node_key = { user = "cockroachdb"; group = "cockroachdb"; permissions = "600"; path = "/var/lib/cockroachdb-certs/node.key"; fetchScript = '' simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/piped-fi" .node_key \ | base64 -d > "$secretFile" ''; }; }; }; }