{ self, inputs, ... }: {
  flake.modules.homeManager.step-client = { config, pkgs, lib, ... }: {
    home.file.".step/config/defaults.json".text = builtins.toJSON {
      ca-url = "https://janus.john-stream.com/";
      fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
      root = ../hosts/janus/root_ca.crt;
    };
    home.packages = [
      inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.step-bootstrap
    ];
    # sops.secrets."step-ca-defaults" = {
    #   sopsFile = ../hosts/janus/defaults.json;
    #   format = "json";
    #   key = ""; # This causes it to decode the whole file
    #   path = "${config.home.homeDirectory}/defaults.json";
    #   mode = "0400";
    # };
  };

  perSystem = { system, pkgs, lib, ... }: {
    packages.step-bootstrap = (inputs.self.wrappers.stepBootstrap.apply {
      inherit pkgs;
      caURL = "https://janus.john-stream.com";
      fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
      install = true;
    }).wrapper;
  };

  flake.wrappers.stepBootstrap = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
    options = {
      caURL = lib.mkOption {
        type = lib.types.str;
      };
      fingerprint = lib.mkOption {
        type = lib.types.str;
      };
      install = lib.mkEnableOption "Install the cert to the system trust store";
    };

    config = {
      binName = "step-bootstrap";
      package = config.pkgs.step-cli;
      args = [
        "ca" "bootstrap"
        "--ca-url" config.caURL
        "--fingerprint" config.fingerprint
      ]
      ++ lib.optional config.install "--install";
    };
  });
}