# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0

{ pkgs, config, depot, lib, ... }:
let
  inherit (lib) mkEnableOption mkOption types;
  mkDefault = lib.mkOverride 900;

  format = pkgs.formats.json {};
in
{
  options.my.vault = {
    enable = mkEnableOption "vault agent";
    roleID = mkOption {
      type = types.str;
      default = config.networking.hostName;
    };
    secretIDPath = mkOption {
      type = types.str;
      default = "/var/lib/vault-agent/secret-id";
    };
    settings = mkOption {
      type = format.type;
      default = {};
    };
    bindMountStateTo = mkOption {
      type = types.nullOr types.str;
      default = null;
    };
  };

  config = {
    my.vault.enable = mkDefault true;
    my.vault.settings = mkDefault {
      pid_file = "/run/vault-agent/pid";
      vault.address = "https://vault.int.lukegb.com";
      auto_auth.method = [{
        type = "approle";
        config = {
          role_id_file_path = pkgs.writeText "${config.my.vault.roleID}-role-id" config.my.vault.roleID;
          secret_id_file_path = config.my.vault.secretIDPath;
          remove_secret_id_file_after_reading = false;
        };
      }];
      cache.use_auto_auth_token = true;

      listener.tcp = {
        address = "127.0.0.1:8200";
        tls_disable = true;
      };
    };

    systemd = lib.optionalAttrs config.my.vault.enable {
      services.vault-agent = {
        description = "Hashicorp Vault Agent";
        wants = [ "network.target" ];
        after = [ "network.target" ];
        wantedBy = [ "multi-user.target" ];
        path = with pkgs; [ glibc.bin ];
        serviceConfig = {
          RuntimeDirectory = "vault-agent";
          RuntimeDirectoryMode = "0700";
          StateDirectory = "vault-agent";
          StateDirectoryMode = "0700";

          DynamicUser = true;
          User = "vault-agent";

          ProtectSystem = "strict";
          ProtectHome = "yes";

          ExecStart = "${pkgs.vault}/bin/vault agent -config=${format.generate "vault-agent.json" config.my.vault.settings}";
        };
      };

      mounts = lib.optional (config.my.vault.bindMountStateTo != null) {
        unitConfig.RequiresMountsFor = "${config.my.vault.bindMountStateTo} /var/lib/private/vault-agent";
        options = "bind";
        what = config.my.vault.bindMountStateTo;
        where = "/var/lib/private/vault-agent";
        requiredBy = [ "vault-agent.service" ];
        before = [ "vault-agent.service" ];
        wantedBy = [ "vault-agent.service" ];
      };
    };
  };
}