{ config, pkgs, lib, tflib, ... }:
let
  cfg = config.prefab.pushApproles;
  inherit (lib)
    mkOption
    mdDoc
    types
    mapAttrsToList
    mkMerge
    flip
    ;

  inherit (tflib)
    tf
    ;
  metadataType = pkgs.formats.json {};
  submoduleOptions = {
    policies = mkOption {
      description = mdDoc ''
        Vault policies added to the approle generated.
      '';
      type = with types; listOf str;
      default = [];
    };

    host = mkOption {
      description = mdDoc ''
        The address of the machine, either IP address, domain name or any other identificator accepted by `ssh`.
      '';
      type = types.str;
    };

    user = mkOption {
      description = mdDoc ''
        The user to connect as.
      '';
      type = types.str;
    };

    metadata = mkOption {
      description = mdDoc ''
      '';
      type = metadataType.type;
      default = {};
    };

    approlePath = mkOption {
      description = mdDoc ''
      '';
      type = types.str;
    };
  };
in
{
  options.prefab.pushApproles = mkOption {
    description = ''
    '';
    type = with types; attrsOf (submodule { options = submoduleOptions; });
    default = {};
  };

  config.resource = mkMerge
    (flip mapAttrsToList cfg (hostname: value:
      {
        "vault_approle_auth_backend_role"."system-${hostname}" = {
          backend = value.approlePath;
          role_name = hostname;
          token_policies = value.policies;
        };

        "vault_approle_auth_backend_role_secret_id"."system-${hostname}" = {
          backend = value.approlePath;
          role_name = tf "vault_approle_auth_backend_role.system-${hostname}.role_name";

          metadata = builtins.toJSON value.metadata;
        };

        "null_resource"."approles-${hostname}" = {
          triggers = {
            secret_id = tf "vault_approle_auth_backend_role_secret_id.system-${hostname}.secret_id";
            role_id = tf "data.vault_approle_auth_backend_role_id.system-${hostname}.role_id";
          };

          connection = {
            inherit (value)
              host
              user;
          };

          provisioner = {
            "remote-exec" = {
              inline = [
                "echo \${nonsensitive(vault_approle_auth_backend_role_secret_id.system-${hostname}.secret_id)} > /var/secrets/approle.secretid"
                "echo \${data.vault_approle_auth_backend_role_id.system-${hostname}.role_id} > /var/secrets/approle.roleid"
              ];
            };
          };
        };
      }));

  config.data =  mkMerge
    (flip mapAttrsToList cfg (hostname: value:
      {
        "vault_approle_auth_backend_role_id"."system-${hostname}" = {
          backend = value.approlePath;
          role_name = tf "vault_approle_auth_backend_role.system-${hostname}.role_name";
        };
      }));
}