{ config, lib, pkgs, ...}:

with lib;

let

  cfg = config.programs.yubikey;

in

{
  options.programs.yubikey = {
    enable = mkEnableOption "Yubikey";
  };

  config = lib.mkIf cfg.enable {
    environment.systemPackages = with pkgs; [
      yubikey-personalization
    ];
    services.udev = {
      packages = with pkgs; [
        yubikey-personalization
      ];
      extraRules = ''
        # Yubikey: create a symlink when key is plugged in, register this in systemd
        # ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0405", SYMLINK+="yubikey", TAG+="systemd"
        # Yubikey: create a device alias when key is plugged in, register this in systemd
        ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0405", TAG+="systemd", ENV{SYSTEMD_ALIAS}="/dev/yubikey"

        # Yubikey: unregister key when unplugged (bug in systemd/kernel, see https://github.com/systemd/systemd/issues/7587)
        ACTION=="remove", SUBSYSTEM=="usb", ENV{PRODUCT}=="1050/405/*", TAG+="systemd"
        # Yubikey: grant access to group plugdev
        ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0405", \
          MODE="664", GROUP="wheel"
      '';
    };
    # services.pcscd.enable = true;
    programs.ssh.startAgent = false;
    programs.gnupg.agent = {
      pinentryFlavor = "gnome3";
      enable = true;
      enableSSHSupport = true;
      enableExtraSocket = true;
      enableBrowserSocket = true;
    };
  };
}