{
  config,
  lib,
  pkgs,
  ...
}: let
  cfg = config.hive.yubikey;
in {
  options.hive.yubikey = with lib; {
    enable = mkEnableOption "Yubikey support";
    pinentry = mkOption {
      type = types.enum ["qt" "gnome3"];
      default = "qt";
      description = "The pinentry flavour to use";
    };
    withCCID = mkOption {
      type = types.bool;
      default = true;
      description = "Use stand-alone CCID (instead of a running pcscd service)";
    };
  };

  config = lib.mkIf cfg.enable {
    programs.gpg = {
      enable = true;
      mutableKeys = false;
      mutableTrust = false;
      publicKeys = [
        {
          source = ../../static/keys/my_pub.asc;
          trust = "ultimate";
        }
      ];
      scdaemonSettings = lib.mkIf (!cfg.withCCID) {
        disable-ccid = true;
      };
    };
    services.gpg-agent = {
      enable = true;
      enableSshSupport = true;
      enableZshIntegration = true;
      pinentry =
        if cfg.pinentry == "gnome3"
        then {
          package = pkgs.pinentry-gnome3;
          program = "pinentry-gnome3";
        }
        else if cfg.pinentry == "qt"
        then {
          package = pkgs.pinentry-qt;
          program = "pinentry-qt";
        }
        else {};
      sshKeys = [config.programs.git.signing.key];
    };
    home.sessionVariables = {
      SSH_AUTH_SOCK = "$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh";
    };
    systemd.user.settings.Manager.DefaultEnvironment = {
      SSH_AUTH_SOCK = "/run/user/%U/gnupg/S.gpg-agent.ssh";
    };
  };
}