{
  config,
  lib,
  pkgs,
  ...
}: let
  cfg = config.hive.yubikey;
in {
  options.hive.yubikey = with lib; {
    enable = mkEnableOption "Yubikey support";
    pinentry = mkOption {
      type = types.enum ["qt" "gnome3"];
      default = "qt";
      description = "The pinentry flavour to use";
    };
  };

  config = lib.mkIf cfg.enable {
    programs.gpg = {
      enable = true;
      mutableKeys = false;
      mutableTrust = false;
      publicKeys = [
        {
          source = ../../static/keys/my_pub.asc;
          trust = "ultimate";
        }
      ];
    };
    services.gpg-agent = {
      enable = true;
      enableSshSupport = true;
      enableZshIntegration = true;
      pinentry.package =
        if cfg.pinentry == "qt"
        then pkgs.pinentry-qt
        else pkgs.pinentry.gnome3;
      extraConfig = ''
        allow-emacs-pinentry
      '';
    };
    home.sessionVariables = {
      SSH_AUTH_SOCK = "$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh";
    };
    systemd.user.settings.Manager.DefaultEnvironment = lib.mapAttrs (_: lib.mkDefault) {
      SSH_AUTH_SOCK = "/run/user/%U/gnupg/S.gpg-agent.ssh";
    };
  };
}