{ config, pkgs, lib, ... }: with lib; let
  cfg = config.services.ssh-cert-dist;
in
{
  options.services.ssh-cert-dist = {
    enable = mkEnableOption "ssh-cert-dist";
    host = mkOption {
      type = types.str;
      default = "127.0.0.1";
    };
    port = mkOption {
      type = types.port;
      default = 6877;
    };
    package = mkOption {
      type = types.package;
      default = pkgs.ssh-cert-dist-server;
    };
    ca = mkOption {
      type = types.path;
    };
    dataDir = mkOption {
      type = types.path;
      default = "/var/lib/ssh-cert-dist";
    };
    user = mkOption {
      type = types.str;
      default = "cert-dist";
    };
    group = mkOption {
      type = types.str;
      default = "cert-dist";
    };
  };
  config = mkIf cfg.enable {
    users = {
      users.${cfg.user} = {
        isSystemUser = true;
        group = cfg.group;
      };
      groups.${cfg.group} = { };

    };
    systemd.services.ssh-cert-dist = {
      wantedBy = [ "multi-user.target" ];
      environment = {
        SSH_CD_SOCKET_ADDRESS = "${cfg.host}:${toString cfg.port}";
        SSH_CD_CERT_DIR = cfg.dataDir;
        SSH_CD_VALIDATE_EXPIRY = "true";
        SSH_CD_VALIDATE_SERIAL = "false";
        SSH_CD_CA = cfg.ca;
        RUST_LOG = "debug";
      };
      serviceConfig = {
        ExecStartPre = "+${pkgs.writeShellScript "pre-start" ''
          mkdir -p ${cfg.dataDir}
          chown ${cfg.user}:${cfg.group} ${cfg.dataDir}
        ''}";
        User = cfg.user;
        ExecStart = "${cfg.package}/bin/ssh-cert-dist-server";
      };
    };
  };
}