{ lib, ... }:
let
  inherit (lib) tf;
in
{
  # FIXME: add a NixOS module to abstract bucket creation, etc.
  config = {
    terraform.required_providers.garage = {
      version = "~> 1.0.3";
      source = "registry.opentofu.org/RaitoBezarius/garage";
    };

    resource = {
      secret_resource.admin-s3-token.lifecycle.prevent_destroy = true;
      garage_bucket.monorepo-terraform-state = { };
      garage_bucket_global_alias = {
        monorepo-terraform-state = {
          bucket_id = tf.ref "resource.garage_bucket.monorepo-terraform-state.id";
          alias = "monorepo-terraform-state";
        };
      };
      garage_key = { };
      garage_bucket_key = { };
    };

    provider.garage = {
      host = "s3-admin.dgnum.eu";
      scheme = "https";
      token = tf.ref "resource.secret_resource.admin-s3-token.value";
    };
  };
}