{ lib, config, ... }:

{
  imports = [
    ./policies-raw.nix
    ./policies-app.nix

    ./authbackend-approle.nix
    ./authbackend-oidc.nix

    ./ssh-ca-client.nix
    ./ssh-ca-server.nix

    ./servers.nix

    ./acme-ca.nix
  ];

  terraform = {
    backend.gcs = {
      bucket = "lukegb-terraform-state";
      prefix = "depot/vault";
    };

    required_providers.vault = {
      source = "hashicorp/vault";
      version = "3.3.1";
    };
  };

  provider.vault = {
    address = "https://vault.int.lukegb.com";
  };

  data.vault_generic_secret.misc = {
    path = "kv/misc-input";
  };

  my.apps.pomerium = {};
  my.servers.etheroute-lon01.apps = [ "pomerium" ];

  my.apps.sslrenew-raritan = {
    policy = ''
      # sslrenew-raritan is permitted to issue certificates.
      path "acme/certs/*" {
        capabilities = ["create"]
      }
    '';
  };
  my.servers.totoro.apps = [ "sslrenew-raritan" ];

  my.apps.deployer.policy = ''
    # Allow reading nix-daemon secrets
    path "kv/data/apps/nix-daemon" {
      capabilities = ["read"]
    }
    path "kv/metadata/apps/nix-daemon" {
      capabilities = ["read"]
    }
  '';
}