{ inputs, ... }:
let
  username = "john";
  hostname = "janus";
  ca-url = "https://janus.john-stream.com/";
  fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
in
{
  flake.modules.nixos.janus-ca =
    { config, lib, ... }:
    let
      johnHome = lib.attrByPath [ "users" "users" username "home" ] "/home/${username}" config;
      johnGroup = lib.attrByPath [ "users" "users" username "group" ] username config;
      mkStepRules = home: user: group: [
        "d ${home}/.step 0700 ${user} ${group} -"
        "d ${home}/.step/config 0700 ${user} ${group} -"
        "d ${home}/.step/certs 0700 ${user} ${group} -"
        "L+ ${home}/.step/config/defaults.json - - - - /etc/step/config/defaults.json"
        "L+ ${home}/.step/certs/root_ca.crt - - - - /etc/step/certs/root_ca.crt"
      ];
    in
    {
      environment.etc."step/config/defaults.json".text = builtins.toJSON {
        inherit ca-url fingerprint;
        root = "/etc/step-ca/certs/root_ca.crt";
      };
      environment.etc."step-ca/certs/root_ca.crt".source = ./root_ca.crt;
      systemd.tmpfiles.rules =
        mkStepRules johnHome username johnGroup
        ++ mkStepRules "/root" "root" "root";
    };

  flake.modules.homeManager.janus-ca = { config, ... }: {
    home.file.".step/config/defaults.json".text = builtins.toJSON {
      inherit ca-url fingerprint;
      root = "${config.home.homeDirectory}/.step/certs/root_ca.crt";
    };
    home.file.".step/certs/root_ca.crt".source = ./root_ca.crt;
  };

  flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem {
    modules = with inputs.self.modules; [
      nixos.lxc
      nixos.mysops
      nixos.step-ssh-host
      nixos.janus-ca
      inputs.home-manager.nixosModules.home-manager
      nixos."${username}"
      nixos.docker
      nixos.login-text
      nixos.mtls
      {
        networking.hostName = hostname;
        step-ssh-host = {
          hostname = hostname;
        };
        mtls = {
          enable = true;
          subject = hostname;
          san = [
            "${hostname}.john-stream.com"
            "192.168.1.244"
          ];
        };

        home-manager.users."${username}" = {
          imports = with inputs.self.modules.homeManager; [
            mysops
            step-ssh-user
          ];
          shell.program = "zsh";
          docker.enable = true;
        };
      }
    ];
  };

  flake-file.inputs = {
    wrappers = {
      url = "github:lassulus/wrappers";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

  perSystem = { pkgs, lib, ... }: {
    packages.janus-ca = inputs.wrappers.lib.wrapPackage {
      inherit pkgs;
      package = pkgs.step-cli;
      binName = "janus-cert";
      args = [
        "ca" "certificate"
        "--ca-url=${ca-url}"
      ];
    };
  };
}