{ self, inputs, ... }:
let
  bootstrapWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
    options = {
      caURL = lib.mkOption {
        type = lib.types.str;
      };
      fingerprint = lib.mkOption {
        type = lib.types.str;
      };
      install = lib.mkEnableOption "Install the cert to the system trust store";
    };

    config = {
      binName = "bootstrap";
      package = config.pkgs.step-cli; # (1)!
      args = [
        "ca" "bootstrap"
        "--ca-url" config.caURL
        "--fingerprint" config.fingerprint
      ];
    };
  });
in
{
  perSystem = { system, self', pkgs, lib, ... }: {
    packages.step-client = inputs.wrappers.lib.wrapPackage {
      inherit pkgs;
      package = (pkgs.symlinkJoin {
        name = "step";
        meta.mainProgram = "step";
        paths = with pkgs; [
          self'.packages.step-bootstrap
          (signHostWrapper.apply {
            inherit pkgs;
            provisioner = "admin";
            overwrite = true;
            # extraPrincipals = [ "home-pc" ];
          }).wrapper
          (signUserWrapper.apply {
            inherit pkgs;
            provisioner = "admin";
            overwrite = true;
            validUsers = [ "john" "root" "appdaemon" ];
          }).wrapper
        ];
      });
    };

    packages.step-bootstrap = (bootstrapWrapper.apply {
      inherit pkgs;
      caURL = "https://janus.john-stream.com";
      fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
      install = true;
    }).wrapper;
  };
}