{ config, lib, ... }:
let
  inherit (lib) tf mkOption mkEnableOption types mkIf;
  parentConf = config.infra.pki;
  cfg = config.infra.pki.ica1;
  hour_in_secs = 1 * 60 * 60;
  year_in_secs = 365 * 24 * hour_in_secs;
in
{
  options.infra.pki.ica1 = {
    enable = mkEnableOption "provision an ICA1";

    resourceId = mkOption {
      type = types.str;
      default = "${parentConf.org.id}_v${toString cfg.version}_ica1_v${toString cfg.certVersion}";
      readOnly = true;
    };

    version = mkOption {
      type = types.int;
      default = 1;
      description = "Version number for the ICA1 chain";
    };

    certVersion = mkOption {
      type = types.int;
      default = 1;
      description = "Version number for the ICA1 chain's certificate";
    };

    signedCert = mkOption {
      type = types.nullOr types.path;
      default = null;
      description = ''
        Path towards the signed certificate by the offline authority.

        This is not a secret and can be safely stored in the Nix store, you still need
        the private key to do anything with this certificate.
      '';
    };
  };

  config = mkIf cfg.enable {
    resource.vault_mount."${cfg.resourceId}" = {
      inherit (parentConf) provider;
      path = "${parentConf.org.id}/v${toString cfg.version}/ica1/v${toString cfg.certVersion}";
      type = "pki";
      description = "PKI engine hosting v${toString cfg.version} intermediate CA1 v${toString cfg.certVersion} for ${parentConf.org.displayName}";
      # 1 hr in seconds.
      default_lease_ttl_seconds = 1 * hour_in_secs;
      max_lease_ttl_seconds = 3 * year_in_secs;
    };

    resource.vault_pki_secret_backend_intermediate_cert_request."${cfg.resourceId}" = {
      inherit (parentConf) provider;
      depends_on = [ "vault_mount.${cfg.resourceId}" ];
      backend = tf.ref "vault_mount.${cfg.resourceId}.path";
      type = "internal";
      common_name = "Intermediate CA1 v${toString cfg.certVersion} ";
      key_type = "ed25519";
      inherit (parentConf.org) ou organization country locality province;
    };

    # This is possible once only the signed cert has been signed offline.
    resource.vault_pki_secret_backend_intermediate_set_signed."${cfg.resourceId}_signed_cert" = mkIf (cfg.signedCert != null) {
      inherit (parentConf) provider;
      depends_on = [ "vault_mount.${cfg.resourceId}" ];
      backend = tf.ref "vault_mount.${cfg.resourceId}.path";

      certificate = builtins.readFile cfg.signedCert;
    };
  };
}