{
  config,
  lib,
  pkgs,
  ...
}: let
  cfg = config.services.xinCA;
in
  with lib; {
    options = {
      services.xinCA = {
        enable = mkEnableOption "Configure host as a xin certificate authority.";

        user = mkOption {
          type = types.str;
          default = "step-ca";
          description = ''
            User who will own the CA key material.
          '';
        };
      };
    };

    imports = [../modules/ts-rev-prox.nix];
    config = mkIf cfg.enable {
      sops.secrets = {
        ca_password = {
          mode = "400";
          owner = cfg.user;
          sopsFile = config.xin-secrets.cert_authority;
        };
        "defaults.json" = {
          mode = "400";
          owner = cfg.user;
          path = "/var/lib/step-ca/config/defaults.json";
          sopsFile = config.xin-secrets.cert_authority;
        };
        "intermediate_ca.crt" = {
          mode = "444";
          owner = cfg.user;
          path = "/var/lib/step-ca/certs/intermediate_ca.crt";
          sopsFile = config.xin-secrets.cert_authority;
        };
        "intermediate_ca_key" = {
          mode = "400";
          owner = cfg.user;
          path = "/var/lib/step-ca/secrets/intermediate_ca_key";
          sopsFile = config.xin-secrets.cert_authority;
        };
        "root_ca.crt" = {
          mode = "444";
          owner = cfg.user;
          path = "/var/lib/step-ca/certs/root_ca.crt";
          sopsFile = config.xin-secrets.cert_authority;
        };
        "root_ca_key" = {
          mode = "400";
          owner = cfg.user;
          path = "/var/lib/step-ca/secrets/root_ca_key";
          sopsFile = config.xin-secrets.cert_authority;
        };
        "jwk_encryptedKey" = {
          mode = "400";
          owner = cfg.user;
          path = "/var/lib/step-ca/secrets/jwk_encryptedKey";
          sopsFile = config.xin-secrets.cert_authority;
        };
      };

      networking.hosts = {"127.0.0.1" = ["ca.bolddaemon.com"];};

      environment.sessionVariables = {STEPPATH = "/var/lib/step-ca";};
      environment.systemPackages = with pkgs; [
        step-cli
        step-kms-plugin
        opensc
        libressl
      ];

      services.step-ca = {
        enable = true;
        intermediatePasswordFile = "${config.sops.secrets.ca_password.path}";
        address = "127.0.0.1";
        port = 443;
        settings = {
          root = config.sops.secrets."root_ca.crt".path;
          crt = config.sops.secrets."intermediate_ca.crt".path;
          key = config.sops.secrets.intermediate_ca_key.path;
          dnsNames = ["ca.bolddaemon.com"];
          logger = {format = "text";};
          db = {
            type = "badgerv2";
            dataSource = "/var/lib/step-ca/db";
            badgerFileLoadingMode = "";
          };
          authority = {
            provisioners = [
              {
                type = "SSHPOP";
                name = "sshpop";
                claims = {enableSSHCA = true;};
              }
            ];
          };

          tls = {
            cipherSuites = [
              "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
              "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
            ];
            minVersion = 1.2;
            maxVersion = 1.3;
            renegotiation = false;
          };
        };
      };
    };
  }