{ config, lib, pkgs, ... }:
with lib; let
  cfg = config.local.pki.ca;
in
{
  options.local.pki.ca = mkOption {
    readOnly = true;

    type = with lib.types; attrsOf (submodule ({ config, name, ... }: {
      options = {
        cert = mkOption {
          type = path;
          readOnly = true;
        };

        crl = mkOption {
          type = path;
          readOnly = true;
        };

        fullchain = mkOption {
          type = path;
          readOnly = true;
        };

        issuer = mkOption {
          type = nullOr str;
          readOnly = true;
        };
      };

      config.fullchain = pkgs.writeText "${name}-fullchain-crl.pem"
        (concatStrings (map readFile
          ([ config.cert config.crl ] ++ optional (config.issuer != null) cfg.${config.issuer}.fullchain)));
    }));
  };

  config.local.pki.ca = {
    mail = {
      crl = ./public/mail-crl.pem;
      cert = ./public/mail-ca.pem;
      issuer = "root";
    };

    root = {
      crl = ./public/root-crl.pem;
      cert = ./public/root-ca.pem;
      issuer = null;
    };
  };
}