{
  lib,
  pkgs,
  config,
  ...
}:
let
  inherit (lib) mkOption types;
  inherit (pkgs) liminix;
in
{
  options = {
    system.service.tls-certificate = {
      certifix-client = mkOption {
        type = liminix.lib.types.serviceDefn;
      };
    };
  };
  config.system.service.tls-certificate.certifix-client =
    config.system.callService ./certifix-client.nix
      {
        # this is probably read from files on the build machine,
        # but are not named with ...File suffix because they are
        # not files on the device (they get embedded into the store)
        caCertificate = mkOption {
          description = "CA certificate in PEM format. This must be the same CA as that which signed the certificate of the Certifix server";
          type = types.str;
        };
        secret = mkOption {
          description = "The shared secret to embed in signing request. This must match the secret configured in the Certifix service, otherwise it will refuse to sign the CSR.";
          type = types.str;
        };
        subject = mkOption {
          description = "Subject of the certificate request, as an X509 DN. The CN ('Common Name') you provide here is also used as the value of the SubjectAlternativeName extension.";
          type = types.str;
          example = "C=GB,ST=London,O=Liminix,OU=IT,CN=myhostname";
        };
        serviceUrl = mkOption {
          description = "Certifix server endpoint URL";
          type = types.str;
          example = "https://certifix.lan:19613/sign";
        };
      };

}