{ inputs, ... }: {
  flake.modules.nixos.step-ssh-host = { config, pkgs, lib, ... }:
  let
    cfg = config.step-ssh-host;
    provisionerPasswordPath = config.sops.secrets."janus/admin_jwk".path;
    sshKeyPath = "/etc/ssh/ssh_host_ed25519_key";
    sshCertPath = "${sshKeyPath}-cert.pub";
  in
  {
    # NixOS Options
    options.step-ssh-host = {
      hostname = lib.mkOption {
        description = "Networking host name to register with the CA";
        type = lib.types.str;
      };
      provisioner = lib.mkOption {
        description = "Provisioner inside Step CA to use for the SSH certificates";
        type = lib.types.str;
        default = "admin";
      };
    };

    imports = with inputs.self.modules.nixos; [ ssh ];

    # NixOS Config
    config = {
      ssh.certificates.enable = true;
      sops.secrets."janus/admin_jwk" = {
        owner = "root";
        group = "root";
        mode = "0400";
      };
      networking.nameservers = [ "192.168.1.150" ];
      networking.dhcpcd.extraConfig = "nohook resolv.conf";
      environment.systemPackages = with pkgs; [
        # step-cli
        (writeShellScriptBin "ssh-host-cert-renew" ''
          ${lib.getExe pkgs.step-cli} ssh certificate \
          --host --sign \
          --provisioner "${cfg.provisioner}" \
          --provisioner-password-file "${provisionerPasswordPath}" \
          --principal "${cfg.hostname}" \
          --principal "${cfg.hostname}.john-stream.com" \
          "${cfg.hostname}" "${sshKeyPath}.pub"
        '')
        (writeShellScriptBin "ssh-host-cert-check" "${lib.getExe' pkgs.openssh "ssh-keygen"} -Lf ${sshCertPath}")
      ];

      systemd.services.step-ssh-host-renew = {
        description = "Renew Step SSH host certificate if needed";
        wantedBy = [ ];
        after = [ "network-online.target" ];
        wants = [ "network-online.target" ];
        path = with pkgs; [ coreutils systemd step-cli openssh  ];
        serviceConfig = {
          Type = "oneshot";
          User = "root";
          Group = "root";
        };
        script = ''
          set -euo pipefail
          if ${lib.getExe pkgs.step-cli} ssh needs-renewal "${sshCertPath}" --expires-in "4h"; then
            echo "Renewing SSH host certificate"
          else
            rc=$?
            if [ "$rc" -eq 1 ]; then
              echo "SSH host cert does not need renewal"
              exit 0
            fi

            if [ "$rc" -eq 2 ]; then
              echo "SSH host cert missing: ${sshCertPath}" >&2
              exit 1
            fi

            echo "step ssh needs-renewal failed with rc=$rc" >&2
            exit "$rc"
          fi
        '';
      };

      systemd.timers.step-ssh-host-renew = {
        description = "Periodic Step SSH host certificate renewal";
        wantedBy = [ "timers.target" ];

        timerConfig = {
          OnBootSec = "5m";
          OnUnitActiveSec = "4h";
          RandomizedDelaySec = "15m";
          Persistent = true;
          Unit = "step-ssh-host-renew.service";
        };
      };
    };
  };
}