# References:
# * https://github.com/drduh/YubiKey-Guide
# * https://nixos.wiki/wiki/Yubikey
{ config, pkgs, lib, ... }:
with lib;
{

  options.components.yubikey.enable = lib.mkOption {
    type = lib.types.bool;
    default = true;
  };

  # todo move this tho home manager
  config = mkIf config.components.yubikey.enable {

    services.pcscd.enable = true;
    services.udev.packages = [

      pkgs.yubikey-personalization

      # additional services, but I just want gpg
      # pkgs.libu2f-host

    ];

    environment.systemPackages = [

      # for `gpg --export $keyid | hokey lint` to check keys
      #pkgs.haskellPackages.hopenpgp-tools

      # for otp keys (but I use pass otp)
      # pkgs.yubioath-desktop

      (pkgs.writers.writeDashBin "gpg-reset-yubikey-id" ''
        echo "reset gpg to make new key available"
        set -x
        set -e
        ${pkgs.psmisc}/bin/killall gpg-agent
        rm -r ~/.gnupg/private-keys-v1.d/
        ${pkgs.gnupg}/bin/gpg --card-status
        echo "now the new key should work"
      '')

    ];

    ## managed by home-manager now
    #environment.shellInit = ''
    #  export GPG_TTY="$(tty)"
    #  gpg-connect-agent /bye
    #  export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
    #'';
    #programs = {
    #  ssh.startAgent = false;
    #  gnupg.agent = {
    #    enable = true;
    #    enableSSHSupport = true;
    #  };
    #};

    ## managed by home-manager now
    #security.pam.u2f.enable = true;
    #security.pam.u2f.authFile = toString config.sops.secrets.yubikey_u2fAuthFile.path;
    #sops.secrets.yubikey_u2fAuthFile = { };

  };
}