{
  pkgs,
  config,
  ...
}: let
  inherit (config.services.secrets) secrets;
in {
  environment.systemPackages = with pkgs; [
    step-cli
    step-ca
  ];

  services.step-ca = {
    enable = true;
    address = "0.0.0.0";
    port = 8443;
    intermediatePasswordFile = secrets.internal_ca_password.path;
    settings = builtins.fromJSON (builtins.readFile ../data/ca.json);
  };
}