{ config, tflib, lib, ... }:
let
  paths.toothpick.consul = {
    encryption_key = "do-1/toothpick/consul/encryption_key";
    agent_token = "do-1/toothpick/consul/agent_token";
    anonymous_token = "do-1/toothpick/consul/anonymous_token";
    replication_token = "do-1/toothpick/consul/replication_token";
  };

  paths.toothpick.nomad = {
    encryption_key = "do-1/toothpick/nomad/encryption_key";
    vault_token = "do-1/toothpick/nomad/vault_token";
    consul_token = "do-1/toothpick/nomad/consul_token";
    replication_token = "do-1/toothpick/nomad/replication_token";
  };

  inherit (tflib)
    tf
    ;
  inherit (lib)
    singleton
    ;
in
{
  provider."vault" = {
    address = "https://vault.in.redalder.org:8200";
  };

  provider."consul" = {
    address = "http://10.64.2.1:8500";
  };

  provider."nomad" = {
    address = "http://10.64.2.1:4646";
  };

  provider."influxdb-v2" = {
    url = "http://influx.in.redalder.org";
  };

  imports = [
    ./modules/push_approles.nix
    ./modules/consul_agent.nix
    ./modules/nomad_server.nix
    ./pki.nix
    ./blowhole.nix
    ./toothpick.nix
  ];

  terraform.backend."consul" = {
    address = "10.64.2.1:8500";
    scheme  = "http";
    path    = "terraform/dotfiles";
  };

  terraform.required_providers = {
    influxdb-v2 = {
      source = "MagicRB/influxdb-v2";
    };
  };

  resource."vault_auth_backend"."approle" = {
    type = "approle";

    tune = singleton {
      max_lease_ttl = "90000s";
      listing_visibility = "unauth";
      allowed_response_headers = null;
      audit_non_hmac_request_keys = null;
      audit_non_hmac_response_keys = null;
      default_lease_ttl = null;
      passthrough_request_headers = null;
      token_type = null;
    };
  };

  resource."vault_mount"."kv" = {
    path = "kv";
    type = "kv";
    options.version = "2";
    description = "KV Version 2 secret engine mount";
  };

  resource."vault_kv_secret_backend_v2"."config" = {
    mount = config.resource."vault_mount"."kv".path;
    max_versions = 5;
  };

  resource."consul_acl_token"."vault_management_token" = {
    description = "Vault management token";
    policies = ["global-management"];
    local = false;
  };

  data."consul_acl_token_secret_id"."vault_management_token" = {
    accessor_id = tf "consul_acl_token.vault_management_token.id";
  };

  resource."vault_consul_secret_backend"."consul" = {
    path = "consul";
    description = "Manages the Consul backend";

    address = "10.64.2.1:8500";
    token = tf "data.consul_acl_token_secret_id.vault_management_token.secret_id";
  };

  resource."vault_token_auth_backend_role"."nomad_cluster" = {
    role_name              = "nomad-cluster";
    disallowed_policies    = ["nomad-server"];
    orphan                 = true;
    token_period           = "259200";
    renewable              = true;
    token_explicit_max_ttl = "0";
  };

  resource."random_id"."nomad_encryption_key" = {
    byte_length = 32;
  };

  resource."random_id"."homelab-1_consul_encryption_key" = {
    byte_length = 32;
  };

  resource."random_id"."do-1_consul_encryption_key" = {
    byte_length = 32;
  };

  resource."consul_acl_policy"."anonymous" = {
    name        = "consul-anonymous";
    rules       = ''
      service_prefix "" { policy = "read" }
      node_prefix    "" { policy = "read" }
    '';
  };

  resource."consul_acl_token"."anonymous" = {
    description = "Consul anonymous token";
    policies = [
      config.resource.consul_acl_policy.anonymous.name
    ];
    local = false;
  };

  data."consul_acl_token_secret_id"."anonymous" = {
    accessor_id = tf "consul_acl_token.anonymous.id";
  };
}