{ pkgs, lib, config, ... }:

with lib;

let
  ca = pkgs.stdenv.mkDerivation {
    name = "hpc-ca";

    nativeBuildInputs = [ pkgs.minica ];

    phases = [ "buildPhase" "installPhase" ];

    buildPhase = ''
      minica \
        -ca-key ca.key.pem \
        -ca-cert ca.cert.pem \
        -domains "ca.${config.networking.domain}"
    '';

    installPhase = ''
      mkdir -p $out

      mv ca.key.pem $out/
      mv ca.cert.pem $out/
    '';
  };

  ca-cert = pkgs.runCommandNoCCLocal "hpc-ca.cert" { } ''
    cp "${ca}/ca.cert.pem" $out
  '';

  mkCert = domain: pkgs.stdenv.mkDerivation {
    name = "hpc-ca:${domain}";

    nativeBuildInputs = [ pkgs.minica ];

    phases = [ "buildPhase" "installPhase" ];

    buildPhase = ''
      minica \
        -ca-key "${ca}/ca.key.pem" \
        -ca-cert "${ca}/ca.cert.pem" \
        -domains "${domain}"
    '';

    installPhase = ''
      mkdir -p $out
      
      mv "${domain}/key.pem" $out/
      mv "${domain}/cert.pem" $out/

      ln -s "${ca}/ca.cert.pem" $out/ca.pem
    '';
  };

in
{
  security.pki.certificateFiles = [
    ca-cert
  ];

  _module.args = {
    inherit mkCert;
  };
}