{ lib, config, ... }:

{
  imports = [
    ./policies-raw.nix
    ./policies-app.nix

    ./authbackend-approle.nix
    ./authbackend-oidc.nix

    ./ssh-ca-client.nix
    ./ssh-ca-server.nix

    ./servers.nix

    ./acme-ca.nix
  ];

  terraform = {
    backend.gcs = {
      bucket = "lukegb-terraform-state";
      prefix = "depot/vault";
    };

    required_providers.vault = {
      source = "hashicorp/vault";
      version = "3.3.1";
    };
  };

  provider.vault = {
    address = "https://vault.int.lukegb.com";
  };

  data.vault_generic_secret.misc = {
    path = "kv/misc-input";
  };

  my.apps.pomerium = {};
  my.servers.etheroute-lon01.apps = [ "pomerium" ];
}