{ ... }:

{
  resource.vault_mount.ssh-client = {
    type = "ssh";
    path = "ssh-client";
  };

  resource.vault_ssh_secret_backend_ca.ssh-client = {
    backend = "\${vault_mount.ssh-client.path}";
  };

  resource.vault_ssh_secret_backend_role.ssh-client_user = {
    name = "user";
    backend = "\${vault_mount.ssh-client.path}";
    key_type = "ca";
    allow_user_certificates = true;
    allowed_users_template = true;
    allowed_users = "{{identity.entity.name}}";
    allowed_extensions = "permit-agent-forwarding,permit-port-forwarding,permit-pty,permit-user-rc,permit-X11-forwarding";
    ttl = 24 * 60 * 60;
    max_ttl = 24 * 60 * 60;
    default_extensions = {
      permit-agent-forwarding = "";
      permit-port-forwarding = "";
      permit-pty = "";
      permit-user-rc = "";
      permit-X11-forwarding = "";
    };
  };
}