{ pkgs, ... }:
{
  services.vault.enable = true;
  services.vault.package = pkgs.vault-bin;
  services.vault.address = "10.0.1.51:8200";
  services.vault.storageBackend = "postgresql";
  services.vault.storageConfig = "
    connection_url = \"postgres://vault:" + (builtins.readFile /opt/cloud-init-misc-data/vault_db_password) + "@localhost:5432/vault?sslmode=disable\"
  ";
  services.vault.extraConfig = "
    ui = true
  ";

  systemd.services.vault.after = [ "postgresql.service" ];

  systemd.services.vault-unseal = {
    serviceConfig.Type = "simple";
    wantedBy = [ "multi-user.target" ];
    after = [ "vault.service" ];
    script = ''
           file=/mnt/data/vault-root-token; test -f "$file" || { printf "Stopping automatic unseal, no token present at $file\n"; exit; }; count=0; while [ "$count" -le 10 ]; do count=`expr "$count" + 1`; printf "=> Trying to unseal Vault..\n"; /run/current-system/sw/bin/curl -XPUT http://127.0.0.1:8200/v1/sys/unseal -d '{"key": "'$(head -n 1 $file)'"}' && break; sleep 10; done
    '';
  };

  networking.firewall.allowedTCPPorts = [8200];
}