.hive/modules/hardware/yubikey.nix

{self, ...}: {
  flake.nixosModules.yubikey = {pkgs, ...}: {
    services.udev.packages = with pkgs; [
      yubikey-personalization
    ];

    environment.systemPackages = with pkgs; [
      gnupg
      yubikey-personalization
      yubioath-flutter
    ];

    services.pcscd.enable = true;

    programs.gnupg.agent = {
      enable = true;
      enableSSHSupport = true;
    };
  };

  flake.homeModules.yubikey = {
    config,
    lib,
    pkgs,
    ...
  }: let
    cfg = config.hive.yubikey;
  in {
    options.hive.yubikey = with lib; {
      pinentry = mkOption {
        type = types.enum ["qt" "gnome3"];
        default = "qt";
        description = "The pinentry flavour to use";
      };
      withCCID = mkOption {
        type = types.bool;
        default = true;
        description = "Use stand-alone CCID (instead of a running pcscd service)";
      };
    };

    config = {
      programs.gpg = {
        enable = true;
        mutableKeys = false;
        mutableTrust = false;
        publicKeys = [
          {
            source = self + /static/keys/my_pub.asc;
            trust = "ultimate";
          }
        ];
        scdaemonSettings = lib.mkIf (!cfg.withCCID) {
          disable-ccid = true;
        };
      };
      services.gpg-agent = {
        enable = true;
        enableSshSupport = true;
        enableZshIntegration = true;
        pinentry =
          if cfg.pinentry == "gnome3"
          then {
            package = pkgs.pinentry-gnome3;
            program = "pinentry-gnome3";
          }
          else if cfg.pinentry == "qt"
          then {
            package = pkgs.pinentry-qt;
            program = "pinentry-qt";
          }
          else {};
        sshKeys = [config.programs.git.signing.key];
      };
      home.sessionVariables = {
        SSH_AUTH_SOCK = "$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh";
      };
      systemd.user.settings.Manager.DefaultEnvironment = {
        SSH_AUTH_SOCK = "/run/user/%U/gnupg/S.gpg-agent.ssh";
      };
    };
  };
}