{ khscodesLib, ... }:
{ lib, config, ... }:
let
  cfg = config.khscodes.openbao;
in
{
  options.khscodes.openbao = {
    vault_ssh_secret_backend_ca = lib.mkOption {
      type = lib.types.attrsOf (
        khscodesLib.mkSubmodule {
          options = {
            backend = lib.mkOption {
              type = lib.types.str;
              description = "Path of the backend mount";
            };
            generate_signing_key = lib.mkOption {
              type = lib.types.bool;
              description = "Generate a signing key on the server";
            };
            key_type = lib.mkOption {
              type = lib.types.str;
              description = "The type of the signing key to use/generate";
            };
          };
          description = "vault_ssh_secret_backend_ca";
        }
      );
    };
  };
  config = lib.mkIf cfg.enable {
    provider.vault = {
      address = "https://auth.kaareskovgaard.net";
    };
    terraform.required_providers.vault = {
      source = "hashicorp/vault";
      version = "5.0.0";
    };
    resource.vault_ssh_secret_backend_ca = lib.mapAttrs' (
      name: value: {
        name = khscodesLib.sanitize-terraform-name name;
        value = value;
      }
    );
  };
}