{ self, inputs, ... }: {
  #
  # Home Manager Module
  #
  flake.modules.homeManager.step-ssh-user = { config, pkgs, lib, ... }:
  let
    cfg = config.step-ssh-user;
    firstPrincipal = lib.head cfg.principals;
    principalArgs = lib.concatMapStringsSep " "
      (principal: "--principal \"${principal}\"") cfg.principals;
  in
  {
    options.step-ssh-user = {
      enable = lib.mkEnableOption "opionated step client config for SSH certs";
      provisioner = lib.mkOption {
        type = lib.types.str;
        default = "admin";
      };
      principals = lib.mkOption {
        type = lib.types.listOf lib.types.str;
      };
    };
    config = lib.mkIf cfg.enable {
      sops.secrets."janus/admin_jwk".mode = "0400";
      home.packages = with pkgs; [
        (writeShellScriptBin "sign-ssh-cert" ''
          ${lib.getExe pkgs.step-cli} ssh certificate \
          --sign \
          ${principalArgs} \
          --provisioner "${cfg.provisioner}" \
          --provisioner-password-file "${config.sops.secrets."janus/admin_jwk".path}" \
          "${firstPrincipal}" "${config.ssh.IdentityFile}.pub"
        '')
      ];
    };
  };
}