{ config, lib, pkgs, ... }:
let
  yubikey-pkgs = with pkgs; [
    ccid
    libu2f-host
    libusb
    rng_tools
    yubikey-manager
    yubikey-personalization
    gnupg
    pinentry
  ];
in
{
  services.pcscd.enable = true;
  services.udev.packages = yubikey-pkgs;

  # Use GPG agent instead.
  programs.ssh.startAgent = false;

  systemd.user.services.gpg-agent = {
    path = [ pkgs.gnupg ];
    description = "SSH Agent";
    wantedBy = [ "default.target" ];
    serviceConfig = {
      ExecStartPre = ''
        ${pkgs.gnupg}/bin/gpgconf --create-socketdir
        ${pkgs.coreutils}/bin/rm -f %t/gnupg/S.gpg-agent.ssh
      '';
      ExecStart =
          "${pkgs.gnupg}/bin/gpg-agent --enable-ssh-support --daemon";
      Type = "forking";
      Restart = "on-failure";
    };
  };

  environment = {
    systemPackages = yubikey-pkgs;

    # Without this, the gpg-agent has no way to ask the user for a password
    # when invoked from ssh.
    # See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851440
    extraInit = ''
      gpg-connect-agent updatestartuptty /bye
    '';

    variables = {
      SSH_AUTH_SOCK =
          ''''${XDG_RUNTIME_DIR:-"/run/user/\$(id -u)"}/gnupg/S.gpg-agent.ssh'';
    };
  };
}