cfg: sshUsers: monitoringvpnKeyDir: monitoringvpnIPv4: stateVersion: {
  deployment.secrets = {
    "ristretto-signing-key".source = cfg.ristrettoSigningKeyPath;
    "stripe-secret-key".source = cfg.stripeSecretKeyPath;
    "monitoringvpn-secret-key".source = "${monitoringvpnKeyDir}/${monitoringvpnIPv4}.key";
    "monitoringvpn-preshared-key".source = "${monitoringvpnKeyDir}/preshared.key";
  };

  services.private-storage.sshUsers = sshUsers;
  services.private-storage.monitoring.vpn.client = {
    enable = true;
    ip = monitoringvpnIPv4;
    endpoint = cfg.monitoringvpnEndpoint;
    endpointPublicKeyFile = "${monitoringvpnKeyDir}/server.pub";
  };

  services.private-storage-issuer = {
    letsEncryptAdminEmail = cfg.letsEncryptAdminEmail;
    domains = cfg.issuerDomains;
    allowedChargeOrigins = cfg.allowedChargeOrigins;
  };

  system.stateVersion = "19.03";
}