{
  config,
  inputs',
  lib,
  config',
  pkgs,
  ...
}: let
  inherit
    (lib)
    singleton
    ;
in {
  imports = [inputs'.uterranix.nixosModules.default];

  uterranix.configurations.main = {
    config,
    uterranix-lib,
    ...
  }: let
    inherit
      (uterranix-lib)
      tf
      ;
  in {
    # terraform.required_providers =
    #   config'.flake.uterranix.config.${pkgs.stdenv.system}.terraform.required_providers;

    imports = config'.uterranix.modules;

    resource."vault_consul_secret_backend_role"."envoy-grafana" = {
      name = "envoy-grafana";

      backend = "consul";

      service_identities = [
        "grafana"
        "influx"
        "telegraf"
      ];

      node_identities = singleton "blowhole:homelab-1";
    };

    resource."consul_acl_policy"."envoy-blowhole" = {
      name = "envoy-blowhole";
      datacenters = singleton "homelab-1";

      rules = ''
        mesh = "write"
      '';
    };

    resource."vault_consul_secret_backend_role"."envoy-blowhole" = {
      name = "envoy-blowhole";
      backend = "consul";

      consul_policies = singleton (tf "consul_acl_policy.envoy-blowhole.name");

      service_identities = singleton "telegraf-blowhole";

      node_identities = [
        "blowhole:homelab-1"
      ];
    };

    resource."vault_consul_secret_backend_role"."envoy-klipper" = {
      name = "envoy-klipper";

      backend = "consul";

      service_identities = singleton "mainsail";

      node_identities = singleton "blowhole:homelab-1";
    };
  };
}