{
  constants,
  config,
  pkgs,
  ...
}:

let
  cfg = config.services.step-ca;
in
{
  services.step-ca = {
    enable = true;
    address = "0.0.0.0";
    port = 8443;
    openFirewall = true;
    intermediatePasswordFile = config.sops.secrets."step-ca/password".path;
    # nix-shell -p step-cli --run "step ca init"
    settings = {
      # FIXME: nix-store paths do not work
      # root = ../../../certs/root_ca.crt;
      # crt = ../../../certs/intermediate_ca.crt;
      # FIXME: not reproducible
      root = "/var/lib/step-ca/certs/root_ca.crt";
      crt = "/var/lib/step-ca/certs/intermediate_ca.crt";
      key = config.sops.secrets."step-ca/intermediate-key".path;
      dnsNames = [
        constants.ca-fqdn
        constants.hosts.sid.ip
      ];
      logger = {
        format = "text";
      };
      db = {
        type = "badgerv2";
        dataSource = "/var/lib/step-ca/db";
      };
      authority = {
        provisioners = [
          {
            type = "ACME";
            name = "acme";
          }
          {
            type = "JWK";
            name = "sid@sid.ovh";
            key = {
              use = "sig";
              kty = "EC";
              kid = "w3fV4U-frlyTnBMg4yNYrLsn8_mY98H8HthoscpoVrg";
              crv = "P-256";
              alg = "ES256";
              x = "KZCDecn4sb87T3UO6JsIzJVtr4Aa0UcYzYDNBUM6F7M";
              y = "CbGHn9tXQbV0Ur2VuXITLnWgfxCRmKEoUdMUmrP9Qkw";
            };
            encryptedKey = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiZS1MUDhDYlE4dzVuMF9nUGhXOWtGdyJ9.rgsqo58rJFWaociSqiPg3E1alAeqoHWubJi4n2uoUFYp3YTWaYZzqA.6P6oimHsKGdCWruo.fNaDr50IXCtCe7W7VIXuS3rlfin_R0nogNpIJ9C6szYg8k10UylircUs14Zl1EHQ9lFeJovb1y1uljzBajMGkOAGlMvashrphVkXiSxHWKDhzbrItJx3qChLtSLJJtXiXPbJQKCAeBjztqPuTw6dI4Z6IR9---kiTvzF6I9KE8afGFlMSubGjr9FnqgiOb2JiZuTfcBGDx78puxdWzUrEEVlliHdv2agbKhY0b13x-obaTIWwlqLFbasv7kPneJ8Ggp7IHHr5uDcUrqVKkTfBrD0lelXm6SwJTHGMkty6inlwSflT9mxvkNq7OGV9triPQc8AGVv0c7t7dHoX_E.tSjJqttCS6zLI_-7zPdXNQ";
          }
        ];
      };
      tls = {
        cipherSuites = [
          "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
          "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
        ];
        renegotiation = false;
      };
    };
  };

  environment.systemPackages = [
    pkgs.step-cli
  ];

  systemd.tmpfiles.rules = [
    "d /var/lib/acme/acme-challenge 0755 acme nginx"
  ];

  security.acme = {
    certs."sid-internal" = {
      # domain = constants.intranet;
      domain = constants.services.vaultwarden.fqdn;
      extraDomainNames = [
        constants.services.netdata.fqdn
        # constants.services.vaultwarden.fqdn
        constants.services.webdav.fqdn
      ];
      server = "https://${constants.ca-fqdn}:${toString cfg.port}/acme/acme/directory";
      group = "nginx";
    };
  };

  sops =
    let
      owner = "step-ca";
      group = "step-ca";
      mode = "0400";
    in
    {
      secrets = {
        "step-ca/password" = {
          inherit owner group mode;
        };
        "step-ca/intermediate-key" = {
          inherit owner group mode;
        };
      };
    };
}