{...}: {
  services.secrets = {
    enable = true;

    vaultURL = "http://127.0.0.1:8200";

    vaultLogin = {
      enable = true;
      loginUsername = "vault";
    };

    autoSecrets = {
      # won't work when sealed
      enable = false;
    };

    requiredVaultPaths = [
      "private-public-keys/data/ssh/root@vault"
      "private-public-keys/data/ssh/root@vault-decrypt"

      "private-public-keys/data/restic/Vault"

      "api-keys/data/storage/restic/Vault"

      "infra/data/internalCAPassword"
    ];

    secrets = {
      vault_password = {
        manual = true;
      };

      ssh_host_ed25519_key = {
        path = "/etc/ssh/ssh_host_ed25519_key";
        permissions = "600";
        fetchScript = ''
          [ ! -d "$SYSROOT/etc/ssh" ] && mkdir -p "$SYSROOT/etc/ssh/"
          simple_get "/private-public-keys/ssh/root@vault" .private | base64 -d > "$secretFile"
        '';
      };
      ssh_host_ed25519_key_pub = {
        path = "/etc/ssh/ssh_host_ed25519_key.pub";
        permissions = "600";
        fetchScript = ''
          [ ! -d "$SYSROOT/etc/ssh" ] && mkdir -p "$SYSROOT/etc/ssh/"
          simple_get "/private-public-keys/ssh/root@vault" .private | base64 -d > "$secretFile"
        '';
      };

      # this doesn't need to be a secret and can be generated at install time
      # but it makes it easier to install.
      # it's stored in /nix store anyway
      initrd_ssh_host_ed25519_key = {
        path = "/initrd_ssh_host_ed25519_key";
        permissions = "600";
        fetchScript = ''
          simple_get "/private-public-keys/ssh/root@vault-decrypt" .private | base64 -d > "$secretFile"
        '';
      };

      restic_password = {
        fetchScript = ''
          simple_get "/private-public-keys/restic/Vault" .password > "$secretFile"
        '';
      };
      restic_env = {
        fetchScript = ''
          RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Vault" .restic)
          echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > "$secretFile"
        '';
      };

      internal_ca_password = {
        fetchScript = ''
          simple_get "/infra/internalCAPassword" .password > "$secretFile"
        '';
      };
    };
  };
}