{ pkgs, unstable, ... }:
{
  sops.secrets."ca_root_pw" = {
    sopsFile = ../../secrets/ca/secrets.yaml;
    owner = "step-ca";
    path = "/var/lib/step-ca/secrets/ca_root_pw";
  };
  sops.secrets."intermediate_ca_key" = {
    sopsFile = ../../secrets/ca/keys/intermediate_ca_key;
    format = "binary";
    owner = "step-ca";
    path = "/var/lib/step-ca/secrets/intermediate_ca_key";
  };
  sops.secrets."root_ca_key" = {
    sopsFile = ../../secrets/ca/keys/root_ca_key;
    format = "binary";
    owner = "step-ca";
    path = "/var/lib/step-ca/secrets/root_ca_key";
  };
  sops.secrets."ssh_host_ca_key" = {
    sopsFile = ../../secrets/ca/keys/ssh_host_ca_key;
    format = "binary";
    owner = "step-ca";
    path = "/var/lib/step-ca/secrets/ssh_host_ca_key";
  };
  sops.secrets."ssh_user_ca_key" = {
    sopsFile = ../../secrets/ca/keys/ssh_user_ca_key;
    format = "binary";
    owner = "step-ca";
    path = "/var/lib/step-ca/secrets/ssh_user_ca_key";
  };

  services.step-ca = {
    enable = true;
    package = pkgs.step-ca;
    intermediatePasswordFile = "/var/lib/step-ca/secrets/ca_root_pw";
    address = "0.0.0.0";
    port = 443;
    settings = {
      authority = {
        provisioners = [
          {
            claims = {
              enableSSHCA = true;
              maxTLSCertDuration = "3600h";
              defaultTLSCertDuration = "48h";
            };
            encryptedKey = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiY1lWOFJPb3lteXFLMWpzcS1WM1ZXQSJ9.WS8tPK-Q4gtnSsw7MhpTzYT_oi-SQx-CsRLh7KwdZnpACtd4YbcOYg.zeyDkmKRx8BIp-eB.OQ8c-KDW07gqJFtEMqHacRBkttrbJRRz0sYR47vQWDCoWhodaXsxM_Bj2pGvUrR26ij1t7irDeypnJoh6WXvUg3n_JaIUL4HgTwKSBrXZKTscXmY7YVmRMionhAb6oS9Jgus9K4QcFDHacC9_WgtGI7dnu3m0G7c-9Ur9dcDfROfyrnAByJp1rSZMzvriQr4t9bNYjDa8E8yu9zq6aAQqF0Xg_AxwiqYqesT-sdcfrxKS61appApRgPlAhW-uuzyY0wlWtsiyLaGlWM7WMfKdHsq-VqcVrI7Gi2i77vi7OqPEberqSt8D04tIri9S_sArKqWEDnBJsL07CC41IY.CqtYfbSa_wlmIsKgNj5u7g";
            key = {
              alg = "ES256";
              crv = "P-256";
              kid = "CIjtIe7FNhsNQe1qKGD9Rpj-lrf2ExyTYCXAOd3YDjE";
              kty = "EC";
              use = "sig";
              x = "XRMX-BeobZ-R5-xb-E9YlaRjJUfd7JQxpscaF1NMgFo";
              y = "bF9xLp5-jywRD-MugMaOGbpbniPituWSLMlXRJnUUl0";
            };
            name = "ca@home.2rjus.net";
            type = "JWK";
          }
          {
            name = "acme";
            type = "ACME";
            claims = {
              maxTLSCertDuration = "3600h";
              defaultTLSCertDuration = "1800h";
            };
          }
          {
            claims = {
              enableSSHCA = true;
            };
            name = "sshpop";
            type = "SSHPOP";
          }
        ];
      };
      crt = "/var/lib/step-ca/certs/intermediate_ca.crt";
      db = {
        badgerFileLoadingMode = "";
        dataSource = "/var/lib/step-ca/db";
        type = "badgerv2";
      };
      dnsNames = [
        "ca.home.2rjus.net"
        "10.69.13.12"
      ];
      federatedRoots = null;
      insecureAddress = "";
      key = "/var/lib/step-ca/secrets/intermediate_ca_key";
      logger = {
        format = "text";
      };
      root = "/var/lib/step-ca/certs/root_ca.crt";
      ssh = {
        hostKey = "/var/lib/step-ca/secrets/ssh_host_ca_key";
        userKey = "/var/lib/step-ca/secrets/ssh_user_ca_key";
      };
      templates = {
        ssh = {
          host = [
            {
              comment = "#";
              name = "sshd_config.tpl";
              path = "/etc/ssh/sshd_config";
              requires = [
                "Certificate"
                "Key"
              ];
              template = ./templates/ssh/sshd_config.tpl;
              type = "snippet";
            }
            {
              comment = "#";
              name = "ca.tpl";
              path = "/etc/ssh/ca.pub";
              template = ./templates/ssh/ca.tpl;
              type = "snippet";
            }
          ];
          user = [
            {
              comment = "#";
              name = "config.tpl";
              path = "~/.ssh/config";
              template = ./templates/ssh/config.tpl;
              type = "snippet";
            }
            {
              comment = "#";
              name = "step_includes.tpl";
              path = "\${STEPPATH}/ssh/includes";
              template = ./templates/ssh/step_includes.tpl;
              type = "prepend-line";
            }
            {
              comment = "#";
              name = "step_config.tpl";
              path = "ssh/config";
              template = ./templates/ssh/step_config.tpl;
              type = "file";
            }
            {
              comment = "#";
              name = "known_hosts.tpl";
              path = "ssh/known_hosts";
              template = ./templates/ssh/known_hosts.tpl;
              type = "file";
            }
          ];
        };
      };
      tls = {
        cipherSuites = [
          "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
          "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
        ];
        maxVersion = 1.3;
        minVersion = 1.2;
        renegotiation = false;
      };
    };
  };
}