{ config, lib, pkgs, ...}:

with lib;

let

  cfg = config.programs.yubikey;

in

{
  options.programs.yubikey = {
    enable = mkEnableOption "Yubikey";
  };

  config = lib.mkIf cfg.enable {
    environment.systemPackages = with pkgs; [
      yubikey-personalization
    ];
    services.udev = {
      packages = with pkgs; [
        yubikey-personalization
      ];
      extraRules = ''
        # Yubikey: create a symlink when key is plugged in, register this in systemd
        ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0401|0403|0405|0407|0410", TAG+="systemd", SYMLINK="yubikey"
      '';
    };
    # services.pcscd.enable = true;
    programs.ssh.startAgent = false;
    programs.gnupg.agent = {
      # Note that this setting alone doesn't help with the pinentry bug. The
      # pinentry is set as `--pinentry <something>`, but this is overriden when
      # the first sighup comes along and the config is read. At that point
      # gnupg forces the original pinentry, which no longer exists.
      #
      # A hacky fix is to use home-manager to write the pinentry path to the
      # ~/.gnupg/gpg-agent.conf
      # pinentryFlavor = "gnome3";

      enable = true;
      enableSSHSupport = true;
      enableExtraSocket = true;
      enableBrowserSocket = true;
    };
  };
}