{ config, lib, ... }:

let
  inherit (lib) types mkOption mapAttrsToList mkMerge;
in {
  options = {
    my.authBackend = mkOption {
      default = {};
      type = types.attrsOf (types.submodule ({ name, ... }: {
        options = {
          type = mkOption { type = types.str; default = name; };
          path = mkOption { type = types.str; default = name; };
          resourceType = mkOption { type = types.str; default = "vault_auth_backend"; };

          tune = {
            default_lease_ttl = mkOption { type = with types; nullOr str; default = null; };
            max_lease_ttl = mkOption { type = with types; nullOr str; default = null; };
            audit_non_hmac_response_keys = mkOption { type = with types; listOf str; default = []; };
            audit_non_hmac_request_keys = mkOption { type = with types; listOf str; default = []; };
            listing_visibility = mkOption { type = types.enum [ "unauth" "hidden" ]; default = "unauth"; };
            passthrough_request_headers = mkOption { type = with types; listOf str; default = []; };
            allowed_response_headers = mkOption { type = with types; listOf str; default = []; };
            token_type = mkOption { type = types.enum [ "default-service" "default-batch" "service" "batch" ]; default = "default-service"; };
          };
        };
      }));
    };
  };

  config = {
    resource = mkMerge (mapAttrsToList (name: cfg: {
      ${cfg.resourceType}.${name} = {
        inherit (cfg) type path;
        tune = [cfg.tune];
      };
    }) config.my.authBackend);
  };
}