{lib, ...}: let
  inherit (lib.lists) forEach;
  inherit (lib.modules) mkMerge;
  inherit (builtins) isString;
in rec {
  genBindMountForSecret = secrets: secretItem: let
    secret =
      if isString secretItem
      then secrets.${secretItem}
      else secrets.${secretItem.name};

    hostPath = secret.path;

    containerPath =
      if isString secretItem
      then hostPath
      else secretItem.path;

    writable =
      if isString secretItem
      then
        (
          if secretItem ? "writable"
          then secretItem.writable
          else false
        )
      else false;
  in {
    "${containerPath}" = {
      inherit hostPath;
      isReadOnly = !writable;
    };
  };

  genBindHostsForSecrets = secrets: secrets_list: (
    mkMerge (forEach secrets_list (
      secretItem:
        genBindMountForSecret secrets secretItem
    ))
  );
}