# References:
# * https://github.com/drduh/YubiKey-Guide
# * https://nixos.wiki/wiki/Yubikey
{
  config,
  pkgs,
  lib,
  ...
}:
with lib;
{

  options.components.yubikey.enable = lib.mkOption {
    type = lib.types.bool;
    default = true;
  };

  # todo move this tho home manager
  config = mkIf config.components.yubikey.enable {

    services.pcscd.enable = true;
    services.udev.packages = [ pkgs.yubikey-personalization ];

    environment.systemPackages = [

      pkgs.yubikey-personalization
      pkgs.yubikey-personalization-gui
      pkgs.yubikey-manager
      pkgs.yubikey-manager-qt

      # for `gpg --export $keyid | hokey lint` to check keys
      #pkgs.haskellPackages.hopenpgp-tools

      # for otp keys (but I use pass otp)
      # pkgs.yubioath-desktop

      (pkgs.writers.writeDashBin "gpg-reset-yubikey-id" ''
        echo "reset gpg to make new key available"
        set -x
        set -e
        ${pkgs.psmisc}/bin/killall gpg-agent
        rm -r ~/.gnupg/private-keys-v1.d/
        ${pkgs.gnupg}/bin/gpg --card-status
        echo "now the new key should work"
      '')

    ];

  };
}