{
  config,
  lib,
  self,
  ...
}:
let
  cfg = config.nodeiwest;
  trustedUserCAKeysPath = "/etc/ssh/trusted-user-ca-keys.pem";
in
{
  imports = [ ./tailscale-init.nix ];

  options.nodeiwest = {
    openbao.address = lib.mkOption {
      type = lib.types.str;
      default = "https://secrets.api.nodeiwest.se";
      description = "Remote OpenBao address that hosts should use as clients.";
      example = "https://secrets.api.nodeiwest.se";
    };

    homeManagerUsers = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [
        "root"
        "deploy"
      ];
      description = "Users that should receive the shared Home Manager company profile.";
      example = [
        "root"
        "deploy"
      ];
    };

    ssh.userCAPublicKeys = lib.mkOption {
      type = lib.types.listOf lib.types.singleLineStr;
      default = [ ];
      description = "OpenBao SSH user CA public keys trusted by sshd for user certificate authentication.";
      example = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBExampleOpenBaoUserCA openbao-user-ca"
      ];
    };
  };

  config = {
    networking.firewall.allowedTCPPorts = [
      22
      80
      443
    ];

    services.openssh = {
      enable = true;
      settings = {
        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
        PubkeyAuthentication = true;
        PermitRootLogin = "prohibit-password";
      }
      // lib.optionalAttrs (cfg.ssh.userCAPublicKeys != [ ]) {
        TrustedUserCAKeys = trustedUserCAKeysPath;
      };
    };

    users.groups.deploy = { };
    users.users.deploy = {
      isNormalUser = true;
      group = "deploy";
      createHome = true;
      extraGroups = [ "wheel" ];
    };

    services.traefik = {
      enable = true;
      staticConfigOptions = {
        api.dashboard = true;
        entryPoints.web.address = ":80";
        entryPoints.websecure.address = ":443";
        ping = { };
      };
      dynamicConfigOptions = lib.mkMerge [ ];
    };

    home-manager = {
      useGlobalPkgs = true;
      useUserPackages = true;
      users = lib.genAttrs cfg.homeManagerUsers (_: {
        imports = [ self.homeManagerModules.default ];
        home.stateVersion = config.system.stateVersion;
      });
    };

    environment.etc = lib.mkIf (cfg.ssh.userCAPublicKeys != [ ]) {
      "ssh/trusted-user-ca-keys.pem".text = lib.concatStringsSep "\n" cfg.ssh.userCAPublicKeys + "\n";
    };

    environment.variables = {
      BAO_ADDR = cfg.openbao.address;
    };
  };
}