{ inputs, ... }:
let
  username = "john";
  hostname = "janus";
  ca-url = "https://janus.john-stream.com/";
  fingerprint = builtins.readFile ./fingerprint;
in
{
  flake.modules.nixos.janus-ca =
    { config, lib, ... }:
    let
      cfg = config.janus-ca;
      johnHome = lib.attrByPath [ "users" "users" username "home" ] "/home/${username}" config;
      johnGroup = lib.attrByPath [ "users" "users" username "group" ] username config;
      cfgInEtc = lib.hasPrefix "/etc/" cfg.certDir;
      certDirEtcPath =
        if cfgInEtc then
          lib.removePrefix "/etc/" cfg.certDir
        else
          cfg.certDir;
      certRootEtcPath = "${certDirEtcPath}/root_ca.crt";
      mkStepRules = home: user: group: [
        "d ${home}/.step 0700 ${user} ${group} -"
        "d ${home}/.step/config 0700 ${user} ${group} -"
        "d ${home}/.step/certs 0700 ${user} ${group} -"
        "L+ ${home}/.step/config/defaults.json - - - - /etc/step-ca/defaults.json"
        "L+ ${home}/.step/certs/root_ca.crt - - - - ${cfg.certDir}/root_ca.crt"
      ];
    in
    {
      options.janus-ca = {
        certDir = lib.mkOption {
          description = "String path to where the mtls certs will be stored.";
          type = lib.types.str;
          default = "/etc/step-ca/certs";
        };
      };

      config = {
        environment.etc = lib.mkIf cfgInEtc {
          "step-ca/defaults.json".text = builtins.toJSON {
            inherit ca-url fingerprint;
            root = "/etc/${certRootEtcPath}";
          };
          "${certRootEtcPath}".source = ./root_ca.crt;
        };
        systemd.tmpfiles.rules =
          mkStepRules johnHome username johnGroup
          ++ mkStepRules "/root" "root" "root";
      };
    };

  flake.modules.homeManager.janus-ca = { config, ... }: {
    home.file.".step/config/defaults.json".text = builtins.toJSON {
      inherit ca-url fingerprint;
      root = "${config.home.homeDirectory}/.step/certs/root_ca.crt";
    };
    home.file.".step/certs/root_ca.crt".source = ./root_ca.crt;
  };

  flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem {
    modules = with inputs.self.modules; [
      nixos.lxc
      nixos.mysops
      nixos.step-ssh-host
      nixos.janus-ca
      inputs.home-manager.nixosModules.home-manager
      nixos."${username}"
      nixos.docker
      nixos.login-text
      nixos.mtls
      {
        networking.hostName = hostname;
        step-ssh-host = {
          hostname = hostname;
        };
        mtls = {
          enable = true;
          subject = hostname;
          san = [
            "${hostname}.john-stream.com"
            "192.168.1.244"
          ];
        };

        home-manager.users."${username}" = {
          imports = with inputs.self.modules.homeManager; [
            mysops
            step-ssh-user
          ];
          shell.program = "zsh";
          docker.enable = true;
        };
      }
    ];
  };
}