{ lib, config, ... }:

{
  imports = [
    ./policies-raw.nix
    ./policies-app.nix

    ./authbackend-approle.nix
    ./authbackend-oidc.nix
    ./authbackend-authentik.nix

    ./ssh-ca-client.nix
    ./ssh-ca-server.nix

    ./servers.nix

    ./acme-ca.nix

    ./lukegbcom-deployer.nix
    ./binary-cache-deployer.nix
  ];

  terraform = {
    backend.gcs = {
      bucket = "lukegb-terraform-state";
      prefix = "depot/vault";
    };

    required_providers.vault = {
      source = "hashicorp/vault";
      version = "3.3.1";
    };
  };

  provider.vault = {
    address = "https://vault.int.lukegb.com";
  };

  resource.vault_gcp_secret_backend.gcp = {
    path = "gcp";
  };
  data.vault_generic_secret.misc = {
    path = "kv/misc-input";
  };

  my.apps.deluge = {};
  my.apps.fup = {};
  my.apps.matrix-synapse = {};
  my.apps.pomerium = {};
  my.apps.quotesdb = {};
  my.apps.turn = {};
  my.apps.twitterchiver = {};
  my.apps.sslrenew-raritan.policy = ''
    # sslrenew-raritan is permitted to issue certificates.
    path "acme/certs/*" {
      capabilities = ["create"]
    }
  '';
  my.apps.deployer.policy = ''
    # Allow reading nix-daemon secrets
    path "kv/data/apps/nix-daemon" {
      capabilities = ["read"]
    }
    path "kv/metadata/apps/nix-daemon" {
      capabilities = ["read"]
    }
  '';
  my.apps.authentik = {};
  my.apps.gitlab-runner = {};
  my.apps.plex-pass = {};
  my.apps.ads-b = {};
  my.apps.nixbuild = {};
  my.apps.tumblrandom = {};
  my.apps.netbox = {};

  my.servers.etheroute-lon01.apps = [ "pomerium" ];
  my.servers.howl.apps = [ "nixbuild" ];
  my.servers.porcorosso.apps = [ "quotesdb" "nixbuild" ];
  my.servers.nausicaa.apps = [ "quotesdb" "nixbuild" ];
  my.servers.totoro.apps = [ "sslrenew-raritan" "deluge" "quotesdb" "authentik" "ads-b" "nixbuild" "tumblrandom" ];
  my.servers.clouvider-fra01.apps = [ "deluge" ];
  my.servers.clouvider-lon01.apps = [ "quotesdb" "gitlab-runner" "nixbuild" ];
  my.servers.cofractal-ams01.apps = [ "deluge" "gitlab-runner" "nixbuild" ];
  my.servers.bvm-twitterchiver.apps = [ "twitterchiver" ];
  my.servers.bvm-matrix.apps = [ "turn" "matrix-synapse" ];
  my.servers.bvm-prosody.apps = [ "turn" ];
  my.servers.bvm-heptapod.apps = [ "gitlab-runner" ];
  my.servers.bvm-nixosmgmt.apps = [ "plex-pass" ];
  my.servers.blade-tuvok.apps = [ "fup" ];
  my.servers.bvm-netbox.apps = [ "netbox" ];
}