{ lib, config, ... }: { imports = [ ./policies-raw.nix ./policies-app.nix ./authbackend-approle.nix ./authbackend-oidc.nix ./ssh-ca-client.nix ./ssh-ca-server.nix ./servers.nix ./acme-ca.nix ]; terraform = { backend.gcs = { bucket = "lukegb-terraform-state"; prefix = "depot/vault"; }; required_providers.vault = { source = "hashicorp/vault"; version = "3.3.1"; }; }; provider.vault = { address = "https://vault.int.lukegb.com"; }; data.vault_generic_secret.misc = { path = "kv/misc-input"; }; my.apps.pomerium = {}; my.servers.etheroute-lon01.apps = [ "pomerium" ]; my.apps.sslrenew-raritan = { policy = '' # sslrenew-raritan is permitted to issue certificates. path "acme/certs/*" { capabilities = ["create"] } ''; }; my.servers.totoro.apps = [ "sslrenew-raritan" ]; }