{ pkgs, unstable, ... }:
{
  sops.secrets."ca_root_pw" = {
    sopsFile = ../../secrets/ca/secrets.yaml;
    path = "/var/lib/step-ca/secrets/ca_root_pw";
  };
  sops.secrets."intermediate_ca_key" = {
    sopsFile = ../../secrets/ca/keys/intermediate_ca_key;
    format = "binary";
    path = "/var/lib/step-ca/secrets/intermediate_ca_key";
  };
  sops.secrets."root_ca_key" = {
    sopsFile = ../../secrets/ca/keys/root_ca_key;
    format = "binary";
    path = "/var/lib/step-ca/secrets/root_ca_key";
  };
  sops.secrets."ssh_host_ca_key" = {
    sopsFile = ../../secrets/ca/keys/ssh_host_ca_key;
    format = "binary";
    path = "/var/lib/step-ca/secrets/ssh_host_ca_key";
  };
  sops.secrets."ssh_user_ca_key" = {
    sopsFile = ../../secrets/ca/keys/ssh_user_ca_key;
    format = "binary";
    path = "/var/lib/step-ca/secrets/ssh_user_ca_key";
  };

  #services.step-ca = {
  #  enable = true;
  #  package = unstable.step-ca;
  #  settings = builtins.fromJSON ./ca.json;
  #};
}