{ config, lib, ... }:
let
  cfg = config.custom.services.certStoreClient;
in
{
  options = {
    custom.services.certStoreClient.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
    };

    services.nginx.virtualHosts = lib.mkOption {
      type = lib.types.attrsOf (
        lib.types.submodule {
          config = lib.mkIf cfg.enable (
            lib.mkDefault {
              sslCertificate = config.sops.secrets.cert-fullchain.path;
              sslCertificateKey = config.sops.secrets.cert-key.path;
            }
          );
        }
      );
    };
  };

  config = lib.mkIf cfg.enable {
    sops = {
      secrets = {
        cert-fullchain = {
          sopsFile = ../../../secrets/cert.yaml;
          restartUnits = [ "nginx.service" ];
          owner = config.services.nginx.user;
          group = config.services.nginx.user;
        };
        cert-key = {
          sopsFile = ../../../secrets/cert.yaml;
          restartUnits = [ "nginx.service" ];
          owner = config.services.nginx.user;
          group = config.services.nginx.user;
        };
      };
    };
  };
}