{...}: {
  services.secrets = {
    enable = true;

    vaultLogin = {
      enable = true;
      loginUsername = "raspberry-container-piped-uk";
    };

    autoSecrets = {
      enable = true;
      affectedSystemdServices = ["cockroachdb"];
    };

    requiredVaultPaths = [
      "private-public-keys/data/piped-cockroachdb-ca/nodes/raspberry"
    ];

    secrets = {
      vault_password = {
        manual = true;
      };

      cockroachdb_ca_certificate = {
        user = "cockroachdb";
        group = "cockroachdb";
        permissions = "600";
        path = "/var/lib/cockroachdb-certs/ca.crt";
        fetchScript = ''
          if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
            mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
          fi
          simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .ca_certificate \
            | base64 -d > "$secretFile"
        '';
      };
      cockroachdb_node_certificate = {
        user = "cockroachdb";
        group = "cockroachdb";
        permissions = "600";
        path = "/var/lib/cockroachdb-certs/node.crt";
        fetchScript = ''
          if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
            mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
          fi
          simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_certificate \
            | base64 -d > "$secretFile"
        '';
      };
      cockroachdb_node_key = {
        user = "cockroachdb";
        group = "cockroachdb";
        permissions = "600";
        path = "/var/lib/cockroachdb-certs/node.key";
        fetchScript = ''
          if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
            mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
          fi
          simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_key \
            | base64 -d > "$secretFile"
        '';
      };
    };
  };
}