{
  config,
  lib,
  pkgs,
  ...
}: let
  cfg = config.hive.kwallet;
in {
  options.hive.kwallet = {
    enable = lib.mkEnableOption "Enable kwallet";
    forUsers = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [];
      description = ''
        List of users that should unlock kwallet via pam.
      '';
    };
  };

  config = lib.mkIf cfg.enable {
    security.pam.services = builtins.listToAttrs (map (user: {
        name = user;
        value = {
          kwallet.enable = true;
          kwallet.forceRun = true;
          kwallet.package = pkgs.kdePackages.kwallet-pam;
        };
      })
      cfg.forUsers);
  };
}