# Enable AppRole auth backend
resource "vault_auth_backend" "approle" {
  type = "approle"
  path = "approle"
}

# Define host access policies
locals {
  host_policies = {
    # Example: monitoring01 host
    # "monitoring01" = {
    #   paths = [
    #     "secret/data/hosts/monitoring01/*",
    #     "secret/data/services/prometheus/*",
    #     "secret/data/services/grafana/*",
    #     "secret/data/shared/smtp/*"
    #   ]
    # }

    # Example: ha1 host
    # "ha1" = {
    #   paths = [
    #     "secret/data/hosts/ha1/*",
    #     "secret/data/shared/mqtt/*"
    #   ]
    # }

    "ha1" = {
      paths = [
        "secret/data/hosts/ha1/*",
        "secret/data/shared/backup/*",
      ]
    }

    "monitoring01" = {
      paths = [
        "secret/data/hosts/monitoring01/*",
        "secret/data/shared/backup/*",
        "secret/data/shared/nats/*",
      ]
    }

    # Wave 1: hosts with no service secrets (only need vault.enable for future use)
    "nats1" = {
      paths = [
        "secret/data/hosts/nats1/*",
      ]
    }

    "jelly01" = {
      paths = [
        "secret/data/hosts/jelly01/*",
      ]
    }

    "pgdb1" = {
      paths = [
        "secret/data/hosts/pgdb1/*",
      ]
    }

    # Wave 3: DNS servers
    "ns1" = {
      paths = [
        "secret/data/hosts/ns1/*",
        "secret/data/shared/dns/*",
      ]
    }

    "ns2" = {
      paths = [
        "secret/data/hosts/ns2/*",
        "secret/data/shared/dns/*",
      ]
    }

    # Wave 4: http-proxy
    "http-proxy" = {
      paths = [
        "secret/data/hosts/http-proxy/*",
      ]
    }

    # Wave 5: nix-cache01
    "nix-cache01" = {
      paths = [
        "secret/data/hosts/nix-cache01/*",
      ]
    }
  }
}

# Generate policies for each host
resource "vault_policy" "host_policies" {
  for_each = local.host_policies

  name = "${each.key}-policy"

  policy = <<EOT
%{~for path in each.value.paths~}
path "${path}" {
  capabilities = ["read", "list"]
}
%{~endfor~}
EOT
}

# Generate AppRoles for each host
resource "vault_approle_auth_backend_role" "hosts" {
  for_each = local.host_policies

  backend        = vault_auth_backend.approle.path
  role_name      = each.key
  token_policies = ["${each.key}-policy"]

  # Token configuration
  token_ttl     = 3600  # 1 hour
  token_max_ttl = 86400 # 24 hours

  # Security settings
  bind_secret_id = true
  secret_id_ttl  = 0 # Never expire (we'll rotate manually)
}