{ config, pkgs, lib, ... }: with lib; let
  cfg = config.services.ssh-cert-dist;
  directoryModule = { name, ... }: {
    options = {
      name = mkOption {
        type = types.str;
        default = last (splitString "/" name);
      };
      fetch = mkOption {
        type = types.bool;
        default = true;
      };
      upload = mkOption {
        type = types.bool;
        default = false;
      };
    };
  };
in
{
  options.services.ssh-cert-dist = {
    enable = mkEnableOption "ssh-cert-dist";
    endpoint = mkOption {
      type = types.str;
      description = "API endpoint url";
    };
    directories = mkOption {
      type = with types; attrsOf (submodule directoryModule);
      default = { };
    };
  };
  config.systemd.user.services = mkIf cfg.enable (mapAttrs'
    (path: options: {
      inherit (options) name; value = {
      Unit.Description = "ssh-cert-dist service for ${path}";
      Service = {
        Environment = "RUST_LOG=debug";
        ExecStart = toString (pkgs.writeShellApplication {
          name = "ssh-cert-dist-${options.name}";
          runtimeInputs = [ pkgs.ssh-cert-dist ];
          text = ''
            ${optionalString options.fetch ''
             ssh-cert-dist client fetch --cert-dir '${path}' --api-endpoint '${cfg.endpoint}' 
            ''}
            ${optionalString options.upload ''
             ssh-cert-dist client upload --api-endpoint '${cfg.endpoint}' ${path}/*
            ''}

          '';
        });
      };
    };
    })
    cfg.directories);
}