machines/nix/systems/aarch64-linux/security.kaareskovgaard.net/post/openbao/loki-mtls.nix

# This should go into the setup of the vault server itself, as the vault server also needs stuff that depends on this.
{
  khscodes.infrastructure.vault-loki-sender = {
    terranixBackendName = "\${ vault_mount.loki-mtls.path }";
  };
  khscodes.infrastructure.provisioning.post.modules = [
    (
      { config, ... }:
      {
        khscodes.vault.enable = true;
        khscodes.vault.mount.loki-mtls = {
          type = "pki";
          path = "loki-mtls";
          max_lease_ttl_seconds = 10 * 365 * 24 * 60 * 60;
          default_lease_ttl_seconds = 60 * 60;
        };
        khscodes.vault.pki_secret_backend_root_cert.loki-mtls = {
          backend = config.khscodes.vault.output.mount.loki-mtls.path;
          type = "internal";
          common_name = "loki.kaareskovgaard.net";
          issuer_name = "loki-mtls-root-ca";
        };
      }
    )
  ];
}