{ config, lib, pkg, ... }:
with lib;
let
  cfg = config.services.certificate-updater;
in
{
  options.services.certificate-updater = {
    enable = mkEnableOption "certificate-updater";

    role = mkOption {
      description = "Vault role to create certificate for";
      type = types.str;
    };

    commonName = mkOption {
      description = "Common name to create the certificate for";
      type = types.str;
    };

    ipAddress = mkOption {
      description = "IP Address to include in SAN";
      type = types.str;
    };

    outputDirectory = mkOption {
      description = "Directory to write certificates out to";
      type = types.path;
    };

    mount = mkOption {
      description = "Mount point of the CA to create certificate from";
      type = types.str;
    };

    environmentFile = mkOption {
      description = "Path to environment file containing VAULT_TOKEN";
      type = types.path;
    };

    group = mkOption {
      description = "Group to write files as";
      type = types.str;
    };

    host = mkOption {
      default = "http://vault.home";
      description = "URL to access Vault";
      type = types.str;
    };
  };

  config = mkIf cfg.enable {
    systemd.timers.certificate-updater = {
      enable = true;
      wantedBy = [ "timers.target" ];
      after = [ "network-online.target" ];
      timerConfig = {
        OnBootSec = "0s";
        OnCalendar = "*:0/5";
        RandomizedDelaySec = "120";
        Unit = "certificate-updater.service";
      };
    };

    systemd.services.certificate-updater = {
      serviceConfig = {
        Type = "oneshot";
        EnvironmentFile = "${cfg.environmentFile}";
        ExecStart = "${pkg}/bin/certificate-updater -r \"${cfg.role}\" -c \"${cfg.commonName}\" -i \"${cfg.ipAddress}\" -o \"${cfg.outputDirectory}\" -u \"${cfg.host}\" -m \"${cfg.mount}\"";
        Group = cfg.group;
      };
    };
  };
}