{ system, self, mach-nix, leapseconds, ... }:
let
  pkgs = self.legacyPackages.${system};
in mach-nix.lib.${system}.buildPythonPackage {
  pname = "ca";
  src = pkgs.lib.sourceByRegex ./. ["^setup\.py$" "^ca(/[^/]+.*)?$"];
  version = "0.0.0";
  ignoreDataOutdated = true;

  requirements = ''
    cryptography >=38.0.0
    fqdn
    atomicwrites
    leapseconddata
    xkcdpass
  '';

  _.cryptography.buildInputs = with pkgs; [ openssl ];

  postInstall = ''
    wrapProgram $out/bin/ca \
      --set-default LEAPSECONDS_FILE ${leapseconds} \
      --prefix PATH : ${pkgs.lib.makeBinPath (with pkgs; [sops])}
  '';
}