{ lib, ... }:
let
  inherit (lib) tf;
in
{
  # FIXME: add a NixOS module to abstract bucket creation, etc.
  config = {
    terraform.required_providers.garage = {
      version = "~> 1.0.3";
      source = "registry.opentofu.org/RaitoBezarius/garage";
    };

    resource = {
      secret_resource.admin-s3-token.lifecycle.prevent_destroy = true;
      garage_bucket = {
        monorepo-terraform-state = { };
        impress-raito-demo = { };
      };

      garage_bucket_global_alias = {
        monorepo-terraform-state = {
          bucket_id = tf.ref "resource.garage_bucket.monorepo-terraform-state.id";
          alias = "monorepo-terraform-state";
        };
        impress-raito-demo = {
          bucket_id = tf.ref "resource.garage_bucket.impress-raito-demo.id";
          alias = "impress-raito-demo";
        };
      };

      garage_key = {
        raito-dinum-test = {
          name = "raito-dinum-test";
          permissions.create_bucket = false;
        };
      };
      garage_bucket_key = {
        raito-dinum-test = {
          bucket_id = tf.ref "resource.garage_bucket.impress-raito-demo.id";
          access_key_id = tf.ref "resource.garage_key.raito-dinum-test.access_key_id";
          read = true;
          write = true;
          owner = true;
        };
      };
    };

    provider.garage = {
      host = "s3-admin.dgnum.eu";
      scheme = "https";
      token = tf.ref "resource.secret_resource.admin-s3-token.value";
    };
  };
}