depot/ops/vault/cfg/policies-app.nix

{ lib, config, ... }:

let
  inherit (lib) mkOption types mkMerge mapAttrsToList mkBefore;
in {
  options.my.apps = mkOption {
    type = types.attrsOf (types.submodule ({ name, ... }: {
      options = {
        resourceName = mkOption {
          type = types.str;
          default = "app_${name}";
          internal = true;
        };

        policy = mkOption {
          type = types.lines;
        };
      };

      config = {
        policy = mkBefore ''
          path "kv/data/apps/${name}" {
            capabilities = ["read"]
          }

          path "kv/metadata/apps/${name}" {
            capabilities = ["read"]
          }
        '';
      };
    }));
  };

  config.resource = mkMerge (mapAttrsToList (appName: appCfg: {
    vault_policy.${appCfg.resourceName} = {
      name = "app/${appName}";
      policy = appCfg.policy;
    };
  }) config.my.apps);
}