{
  inputs',
  pkgs,
  config,
  ...
}: {
  services.hashicorp.vault-agent = {
    settings.template = let
      buildbotRestart =
        pkgs.writeShellScript "buildbot-reload.sh"
        ''
          sudo systemd-run -P --machine klipper /run/current-system/sw/bin/bash -l -c \
            'systemctl try-reload-or-restart container@buildbot' || true
        '';
    in
      map (v: v // {command = buildbotRestart;}) [
        {
          source = pkgs.writeText "buildbot.github_oauth_secret.vtmpl" ''
            {{ with secret "kv/data/cluster/buildbot/buildbot" }}{{ .Data.data.oauth_secret }}{{ end }}
          '';
          destination = "/run/secrets/buildbot/github_oauth_secret";
        }
        {
          source = pkgs.writeText "buildbot.github_token.vtmpl" ''
            {{ with secret "kv/data/cluster/buildbot/buildbot" }}{{ .Data.data.token }}{{ end }}
          '';
          destination = "/run/secrets/buildbot/github_token";
        }
        {
          source = pkgs.writeText "buildbot.github_webhook_secret.vtmpl" ''
            {{ with secret "kv/data/cluster/buildbot/buildbot" }}{{ .Data.data.webhook_secret }}{{ end }}
          '';
          destination = "/run/secrets/buildbot/github_webhook_secret";
        }
        {
          source = pkgs.writeText "buildbot.gitea_token.vtmpl" ''
            {{ with secret "kv/data/cluster/buildbot/gitea" }}{{ .Data.data.token }}{{ end }}
          '';
          destination = "/run/secrets/buildbot/gitea_token";
        }
        {
          source = pkgs.writeText "buildbot.gitea.oauth_secret.vtmpl" ''
            {{ with secret "kv/data/cluster/buildbot/gitea" }}{{ .Data.data.oauth_secret }}{{ end }}
          '';
          destination = "/run/secrets/buildbot/gitea_oauth_secret";
        }
        {
          source = pkgs.writeText "buildbot.github.app_private_key.vtmpl" ''
            {{ with secret "kv/data/cluster/buildbot/buildbot" }}{{ .Data.data.app_private_key }}{{ end }}
          '';
          destination = "/run/secrets/buildbot/github_app_private_key.pem";
        }
      ];
  };

  containers.buildbot = {
    ephemeral = true;
    autoStart = true;
    privateNetwork = false;

    bindMounts = {
      "/var/lib/buildbot" = {
        hostPath = "/mnt/kyle/infrastructure/buildbot/data";
        isReadOnly = false;
      };
      "/var/lib/postgresql" = {
        hostPath = "/mnt/kyle/infrastructure/buildbot/database";
        isReadOnly = false;
      };
      "/secret" = {
        hostPath = "/run/secrets/buildbot";
        isReadOnly = true;
      };
    };

    specialArgs = {
      inherit inputs';
    };

    config = {
      boot.isContainer = true;

      nix.settings = config.nix.settings;
      nix.package = config.nix.package;

      imports = [
        ../buildbot-container/buildbot.nix
      ];

      networking.hostName = "buildbot";
    };
  };
}