{ ... }:

{
  resource.vault_jwt_auth_backend.authentik = {
    default_role = "user";
    namespace_in_state = true;

    oidc_discovery_url = "https://auth.lukegb.com/application/o/vault/";
    oidc_client_id = "33e3bdaf2dcc48cba5614e69cca22df701728d4d";
    oidc_client_secret = "\${data.vault_generic_secret.misc.data[\"authentikAuthToken\"]}";
  };

  my.authBackend.authentik = {
    resourceType = "vault_jwt_auth_backend";
    type = "oidc";

    tune.default_lease_ttl = "24h";
    tune.max_lease_ttl = "24h";
  };

  resource.vault_jwt_auth_backend_role = let
    baseRole = {
      backend = "\${resource.vault_jwt_auth_backend.authentik.path}";
      role_type = "oidc";
      bound_audiences = ["\${resource.vault_jwt_auth_backend.authentik.oidc_client_id}"];
      user_claim = "sub";
      allowed_redirect_uris = [
        "http://localhost:8250/oidc/callback"
        "https://vault-server-j2gbzkpiaq-ew.a.run.app/ui/vault/auth/oidc/authentik/callback"
        "https://vault.int.lukegb.com/ui/vault/auth/oidc/authentik/callback"
      ];
    };
  in {
    authentik_user = baseRole // {
      role_name = "user";
      token_policies = ["base" "user"];
    };
    authentik_admin = baseRole // {
      role_name = "admin";
      token_policies = ["base" "admin"];
    };
  };
}