{pkgs, ...}: {
  services.secrets = {
    enable = true;

    packages = with pkgs; [
      rclone
    ];

    vaultLogin = {
      enable = true;
      loginUsername = "hetzner-arm-container-jellyfin";
    };

    autoSecrets = {
      enable = true;
    };

    requiredVaultPaths = [
      "api-keys/data/storage/webdav/Media"
      "api-keys/data/storage/restic/Jellyfin"

      "private-public-keys/data/restic/Jellyfin"
    ];

    secrets = {
      vault_password = {
        manual = true;
      };

      rclone_config = {
        user = "jellyfin";
        group = "jellyfin";
        fetchScript = ''
          cp ${./data/rclone_config.template} "$secretFile"
          MEDIA_PASSWORD="$(simple_get "/api-keys/storage/webdav/Media" .media)"
          MEDIA_PASSWORD="$(rclone obscure "$MEDIA_PASSWORD")"
          sed -i "s/MEDIA_PASSWORD/$MEDIA_PASSWORD/" "$secretFile"
        '';
      };

      restic_password = {
        fetchScript = ''
          simple_get "/private-public-keys/restic/Jellyfin" .password > "$secretFile"
        '';
      };
      restic_env = {
        fetchScript = ''
          RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Jellyfin" .restic)
          echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/Jellyfin" > "$secretFile"
        '';
      };
    };
  };
}