{ inputs, ... }:
{
  flake.modules.nixos.mtls = { config, lib, pkgs, ... }:
  let
    certDir = config.mtls.certDir;
    tlsKey = "${certDir}/${config.mtls.keyFilename}";
    tlsCert = "${certDir}/${config.mtls.certFilename}";
    mtlsBundle = "${certDir}/${config.mtls.bundleFilename}";
  in
  {
    options.mtls = {
      enable = lib.mkEnableOption "Enable mTLS";
      certDir = lib.mkOption {
        description = "String path to where the mtls certs will be stored.";
        type = lib.types.str;
        default = "/var/lib/tls";
      };
      keyFilename = lib.mkOption {
        description = "String filename for the private key";
        type = lib.types.str;
        default = "key.pem";
      };
      certFilename = lib.mkOption {
        description = "String filename for the public certificate";
        type = lib.types.str;
        default = "cert.pem";
      };
      bundleFilename = lib.mkOption {
        description = "String filename for the mTLS key bundle";
        type = lib.types.str;
        default = "mtls.pem";
      };
    };

    config = {
      environment.systemPackages = with pkgs; [
        (writeShellScriptBin "mtls-generate" ''
          ${lib.getExe pkgs.step-cli} ca certificate \
            john-pc-ubuntu ${tlsCert} ${tlsKey} \
            --provisioner admin \
            --san 192.168.1.85 \
            --san spiffe://john-stream.com/ubuntu
          cat ${tlsCert} ${tlsKey} > ${mtlsBundle}
        '')
        (writeShellScriptBin "mtls-check" ''
          ${lib.getExe pkgs.openssl} x509 \
          -noout -subject -issuer \
          -ext subjectAltName,extendedKeyUsage \
          -enddate -in ${mtlsBundle}
        '')
      ];
    };
  };
}