{ config, lib, pkgs, ... }:
let
  cfg = config.orbekk.yubikey;

  yubikey-pkgs = with pkgs; [
    ccid
    libu2f-host
    libusb
    rng-tools
    yubikey-manager
    yubikey-personalization
    gnupg
    pinentry
  ];
in
{
  options = {
    orbekk.yubikey = {
      enable = lib.mkEnableOption "Enable yubikey config";
    };
  };

  config = lib.mkIf cfg.enable {
    services.pcscd.enable = true;
    services.udev.packages = with pkgs; [
      libu2f-host
      yubikey-personalization
    ];

    programs.gnupg.agent = {
      enable = true;
      enableSSHSupport = true;
    };
    # Use GPG agent instead.
    programs.ssh.startAgent = lib.mkDefault false;

    environment = {
      systemPackages = yubikey-pkgs;
    };

    security.sudo.extraRules = [
      {
        groups = [ "wheel" ];
        commands = [ { command = "${pkgs.systemd}/bin/systemctl restart pcscd"; options = [ "NOPASSWD" ]; } ];
      }
    ];
  };
}