{ inputs, ... }:
let
  caURL = "https://janus.john-stream.com/";
  stepFingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
in
{
  #
  # NixOS Module
  #
  flake.modules.nixos.step-client = { config, pkgs, lib, ... }:
  let
    cfg = config.step-client;
    stepBin = lib.getExe pkgs.step-cli;
    rootCertPath = "/etc/step/certs/root_ca.crt";
    provisionerPasswordPath = config.sops.secrets."step/provisioner_password".path;
    sshKeyPath = "/etc/ssh/ssh_host_ed25519_key";
    sshCertPath = "/etc/ssh/ssh_host_ed25519_key-cert.pub";
  in
  {
    # NixOS Options
    options.step-client = {
    };

    imports = with inputs.self.modules.nixos; [ ssh ];
    # NixOS Config
    config = {
      ssh.certificates = true;
      home-manager.sharedModules = with inputs.self.modules; [
        homeManager.step-client
      ];
      sops.secrets."janus/fingerprint" = { };
      environment.systemPackages = with pkgs; [
        (writeShellScriptBin "step-bootstrap" ''
          set -euo pipefail
          step ca bootstrap --ca-url ${caURL} --fingerprint ${stepFingerprint}
        '')
      ];
      networking.nameservers = [ "192.168.1.150" ];
      networking.dhcpcd.extraConfig = "nohook resolv.conf";
    };
  };

  #
  # Home Manager Module
  #
  flake.modules.homeManager.step-client = { config, pkgs, lib, ... }:
  let
    cfg = config.step-client;
  in
  {
    options.step-client = {
      enable = lib.mkEnableOption "opionated step client config";
      caUrl = lib.mkOption {
        type = lib.types.str;
        default = "${caURL}";
      };
      fingerprint = lib.mkOption {
        type = lib.types.str;
        default = "${stepFingerprint}";
      };
    };
    config = {
      home.file.".step/config/defaults.json".text = builtins.toJSON {
        "ca-url" = cfg.caUrl;
        fingerprint = cfg.fingerprint;
        root = "${config.home.homeDirectory}/.step/certs/root_ca.crt";
      };
    };
  };
}