dotfiles/nixos/systems/blowhole/uterranix.nix

{ config, inputs, lib, config', pkgs, ... }:
{
  imports = [ inputs.uterranix.nixosModules.default ];

  uterranix.config = { config, tflib, ... }:
    let
      inherit (tflib)
        tf;
    in
      {
        terraform.required_providers = ((a: builtins.break a) config'.flake.uterranix.config.${pkgs.stdenv.system}).terraform.required_providers;

        imports = config'.uterranix.modules;

        resource."vault_consul_secret_backend_role"."envoy-grafana" = {
          name = "envoy-grafana";

          backend = "consul";

          service_identities = [
            "grafana"
            "influx"
            "telegraf"
          ];

          node_identities = [
            "blowhole:homelab-1"
          ];
        };

        resource."consul_acl_policy"."envoy-blowhole" = {
          name = "envoy-blowhole";
          datacenters = [ "homelab-1" ];

          rules = ''
            mesh = "write"
          '';
        };

        resource."vault_consul_secret_backend_role"."envoy-blowhole" = {
          name = "envoy-blowhole";
          backend = "consul";

          consul_policies = [
            (tf "consul_acl_policy.envoy-blowhole.name")
          ];

          service_identities = [
            "telegraf-blowhole"
          ];

          node_identities = [
            "blowhole:homelab-1"
          ];
        };

        resource."vault_consul_secret_backend_role"."envoy-klipper" = {
          name = "envoy-klipper";

          backend = "consul";

          service_identities = [
            "mainsail"
          ];

          node_identities = [
            "blowhole:homelab-1"
          ];
        };
      };
}