{ ... }:

{
  resource.vault_gcp_secret_roleset.binary_cache_deployer = {
    backend = "\${vault_gcp_secret_backend.gcp.path}";
    roleset = "binary-cache-deployer";
    project = "lukegb-nix";
    secret_type = "access_token";
    token_scopes = [
      "https://www.googleapis.com/auth/devstorage.read_write"
    ];
    binding = [{
      resource = "buckets/lukegb-nix-cache";
      roles = ["roles/storage.objectAdmin"];
    }];
  };

  my.servers.cofractal-ams01.appPolicies.gitlab-runner = ''
    path "''${vault_gcp_secret_roleset.binary_cache_deployer.backend}/roleset/''${vault_gcp_secret_roleset.binary_cache_deployer.roleset}/token" {
      capabilities = ["read"]
    }
  '';
  my.servers.clouvider-lon01.appPolicies.gitlab-runner = ''
    path "''${vault_gcp_secret_roleset.binary_cache_deployer.backend}/roleset/''${vault_gcp_secret_roleset.binary_cache_deployer.roleset}/token" {
      capabilities = ["read"]
    }
  '';
}