diff --git a/modules/programs/step-client.nix b/modules/programs/step-client.nix
index 135af3b..b073830 100644
--- a/modules/programs/step-client.nix
+++ b/modules/programs/step-client.nix
@@ -1,21 +1,70 @@
 { inputs, ... }:
+let
+  caURL = "https://janus.john-stream.com/";
+  stepFingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
+in
 {
-  flake.modules.nixos.step-client = { pkgs, config, ... }: {
+  #
+  # NixOS Module
+  #
+  flake.modules.nixos.step-client = { config, pkgs, lib, ... }:
+  let
+    cfg = config.step-client;
+    stepBin = lib.getExe pkgs.step-cli;
+    rootCertPath = "/etc/step/certs/root_ca.crt";
+    provisionerPasswordPath = config.sops.secrets."step/provisioner_password".path;
+    sshKeyPath = "/etc/ssh/ssh_host_ed25519_key";
+    sshCertPath = "/etc/ssh/ssh_host_ed25519_key-cert.pub";
+  in
+  {
+    # NixOS Options
+    options.step-client = {
+    };
+
     imports = with inputs.self.modules.nixos; [ ssh ];
-    ssh.certificates = true;
-    home-manager.sharedModules = with inputs.self.modules; [
-      homeManager.step-client
-    ];
-    sops.secrets."janus/fingerprint" = { };
+    # NixOS Config
+    config = {
+      ssh.certificates = true;
+      home-manager.sharedModules = with inputs.self.modules; [
+        homeManager.step-client
+      ];
+      sops.secrets."janus/fingerprint" = { };
+      environment.systemPackages = with pkgs; [
+        (writeShellScriptBin "step-bootstrap" ''
+          set -euo pipefail
+          step ca bootstrap --ca-url ${caURL} --fingerprint ${stepFingerprint}
+        '')
+      ];
+      networking.nameservers = [ "192.168.1.150" ];
+      networking.dhcpcd.extraConfig = "nohook resolv.conf";
+    };
   };
 
-  flake.modules.homeManager.step-client = { pkgs, ... }: {
-    home.packages = with pkgs; [
-      step-cli
-      (writeShellScriptBin "check-ssh" ''
-        set -euo pipefail
-        bash <(curl -sL https://gitea.john-stream.com/john/janus/raw/branch/main/scripts/ssh-server-check.sh)
-      '')
-    ];
+  #
+  # Home Manager Module
+  #
+  flake.modules.homeManager.step-client = { config, pkgs, lib, ... }:
+  let
+    cfg = config.step-client;
+  in
+  {
+    options.step-client = {
+      enable = lib.mkEnableOption "opionated step client config";
+      caUrl = lib.mkOption {
+        type = lib.types.str;
+        default = "${caURL}";
+      };
+      fingerprint = lib.mkOption {
+        type = lib.types.str;
+        default = "${stepFingerprint}";
+      };
+    };
+    config = {
+      home.file.".step/config/defaults.json".text = builtins.toJSON {
+        "ca-url" = cfg.caUrl;
+        fingerprint = cfg.fingerprint;
+        root = "${config.home.homeDirectory}/.step/certs/root_ca.crt";
+      };
+    };
   };
 }