{
  self,
  pkgs,
  ...
}: let
  externalDriveData = import "${self}/data/drives/raspberryExternalDrive.nix";

  mountExternalDrive = let
    jq = "${pkgs.jq}/bin/jq";
    vault = "${pkgs.vault-bin}/bin/vault";
    cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup";
  in
    pkgs.writeShellScriptBin "mount_external_drive" ''
      ${unmountExternalDrive}/bin/unmount_external_drive

      vault-login

      ${vault} kv get -format json "/private-public-keys/cryptsetup/raspberry-ext-drive" \
        | ${jq} -r ".data.data.key" \
        | base64 -d \
        | ${cryptsetup} open ${externalDriveData.encryptedPath} ${externalDriveData.mapperName} --key-file=/dev/stdin
      mount ${externalDriveData.mapperPath} -o rw,compress=zstd ${externalDriveData.mountpoint}
    '';

  unmountExternalDrive = let
    cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup";
  in
    pkgs.writeShellScriptBin "unmount_external_drive" ''
      umount -flR ${externalDriveData.mountpoint} || true
      ${cryptsetup} close ${externalDriveData.mapperName} || true
    '';
in {
  environment.systemPackages =
    (with pkgs; [
      cryptsetup
    ])
    ++ [
      mountExternalDrive
      unmountExternalDrive
    ];

  systemd.tmpfiles.rules = ["d ${externalDriveData.mountpoint} - root root"];

  #services.udev.extraRules = ''
  #  ACTION=="add", ENV{PARTLABEL}=="${externalDriveData.encryptedLabel}", ENV{SYSTEMD_WANTS}="mount-external-drive.service"
  #  ACTION=="remove", ENV{PARTLABEL}=="${externalDriveData.encryptedLabel}", ENV{SYSTEMD_WANTS}="unmount-external-drive.service"
  #'';
}