{ pkgs, lib, config, tf, ... }:
with lib;
let
in
{
  systemd.services.hashicorp-vault-agent = {
    serviceConfig = {
      RuntimeDirectory = "secrets";
    };
  };

  services.hashicorp.vault-agent =
    { enable = true;
      package = pkgs.vault;

      command = "agent";

      extraPackages = with pkgs;
        [ sudo getent ];

      settings =
        { vault =
            { address = "https://vault.in.redalder.org:8200";
              retry =
                { num_retries = 5;
                };
            };

          auto_auth = {
            method = singleton
              { "approle" =
                  { mount_path = "auth/approle";
                    config =
                      { role_id_file_path = "/var/secrets/approle.roleid";
                        secret_id_file_path = "/var/secrets/approle.secretid";
                        remove_secret_id_file_after_reading = false;
                      };
                  };
              };

            sink =
              [ { type = "file";
                  config =
                    { path = "/run/secrets/vault-token";
                    };
                }
              ];
          };

          template = [
            {
              source = pkgs.writeText "id_ed_camera" ''
                {{ with secret "kv/data/homelab-1/blowhole/id_ed_camera" }}{{ .Data.data.private }}{{ end }}
              '';
              destination = "/run/secrets/id_ed_camera";
              command = pkgs.writeShellScript "id_ed_camera-command" ''
                export PATH=${pkgs.util-linux}/bin:$PATH
                chown root:root /run/secrets/id_ed_camera
                chmod 600 /run/secrets/id_ed_camera
              '';
            }
          ];
        };
    };
}