{ config, lib, pkgs, ... }:
with lib; let
  cfg = config.local.jobs.pkiExpiry;
  inherit (config.local) pki;
in
{
  options.local.jobs.pkiExpiry = {
    enable = mkEnableOption "PKI expiration reminder";
  };

  config = mkIf cfg.enable {
    systemd = {
      services.pki-expiry = {
        after = [ "postfix.service" ];
        path = [ "/run/wrappers" ];

        environment.PKI_PUBLIC =
          let
            mkdir = "mkdir -p $out/{ca,cert,crl}";

            cas = mapAttrsToList (_: ca: "ln -s ${ca.cert} $out/ca/${ca.path}") pki.ca;
            crls = mapAttrsToList (_: ca: "ln -s ${ca.crl} $out/crl/${ca.path}") pki.ca;

            certs = mapAttrsToList
              (path: leaf: "ln -s ${leaf.cert} $out/cert/${path}")
              (filterAttrs (_: object: ! object ? leaves) pki.byPath);

            pkiPublic = pkgs.runCommandNoCCLocal "pki-public" { } (concatLines ([ mkdir ] ++ cas ++ crls ++ certs));
          in
          "${pkiPublic}";

        serviceConfig = {
          Type = "oneshot";
          StateDirectory = "pki-expiry";
          WorkingDirectory = "/var/lib/pki-expiry";

          ExecStart =
            let
              script = pkgs.writeShellApplication {
                name = "pki-expiry";
                text = readFile ./pki-expiry.sh;
                runtimeInputs = with pkgs; [ diffutils openssl ];
              };
            in
            "${getExe script}";
        };
      };

      timers.pki-expiry = {
        wantedBy = [ "timers.target" ];

        timerConfig = {
          OnStartupSec = "10m";
          OnUnitInactiveSec = "3d";
        };
      };
    };
  };
}