{ config, lib, pkgs, ... }:
with lib; let
  cfg = config.local.pki.ca;

  openssl = getExe pkgs.buildPackages.openssl;

  certsType = leafOf: with lib.types; attrsOf (submodule ({ config, name, ... }: {
    options = {
      cert = mkOption {
        type = path;
        readOnly = true;
      };

      fingerprint = {
        sha1-lower = mkOption {
          type = str;
          readOnly = true;
        };

        sha256-bytes-upper = mkOption {
          type = str;
          readOnly = true;
        };
      };

      fullchain = mkOption {
        type = path;
        readOnly = true;
      };

      issuer = mkOption {
        type = nullOr str;
        readOnly = true;
      };

      path = mkOption {
        type = str;
        readOnly = true;
      };
    } // optionalAttrs (leafOf != null) {
      commonName = mkOption {
        type = str;
        readOnly = true;
      };
    } // optionalAttrs (leafOf == null) {
      crl = mkOption {
        type = path;
        readOnly = true;
      };

      certWithCrl = mkOption {
        type = path;
        readOnly = true;
      };

      leaves = mkOption {
        type = certsType name;
        readOnly = true;
      };
    };

    config = {
      fingerprint = {
        sha1-lower = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha1-lower" { } ''
          ${openssl} x509 -in ${config.cert} -noout -sha1 -fingerprint \
            | sed 's/^.*=//' \
            | tr -d $':\n' \
            | tr '[A-Z]' '[a-z]' \
            >>$out
        '');

        sha256-bytes-upper = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-fprint-sha256-bytes-upper" { } ''
          ${openssl} x509 -in ${config.cert} -noout -sha256 -fingerprint \
            | sed 's/^.*=//' \
            | tr -d $'\n' \
            >>$out
        '');
      };

      fullchain = pkgs.writeText "${name}-fullchain-crl.pem"
        (concatStrings (map readFile
          (singleton (if leafOf != null then config.cert else config.certWithCrl)
            ++ optional (config.issuer != null) cfg.${config.issuer}.fullchain)));

      path = optionalString (config.issuer != null) (cfg.${config.issuer}.path + ".") + name;
    } // optionalAttrs (leafOf != null) {
      commonName = readFile (pkgs.runCommandNoCCLocal "cert-${config.path}-common-name" { } ''
        ${openssl} x509 -in ${config.cert} -noout -subject -nameopt multiline \
          | grep commonName \
          | sed 's/^.*=\s*//' \
          | tr -d $'\n' \
          >$out
      '');

      issuer = leafOf;
    } // optionalAttrs (leafOf == null) {
      certWithCrl = pkgs.writeText "${name}-cert-crl.pem"
        (concatStrings (map readFile [ config.cert config.crl ]));
    };
  }));
in
{
  options.local.pki.ca = mkOption {
    type = certsType null;
    readOnly = true;
  };
}