# References:
# * https://github.com/drduh/YubiKey-Guide
# * https://nixos.wiki/wiki/Yubikey
{ config, pkgs, ... }: {

  services.pcscd.enable = true;
  services.udev.packages = [

    pkgs.yubikey-personalization

    # additional services, but I just want gpg
    # pkgs.libu2f-host

  ];

  environment.systemPackages = [

    # for `gpg --export $keyid | hokey lint` to check keys
    #pkgs.haskellPackages.hopenpgp-tools

    # for otp keys (but I use pass otp)
    # pkgs.yubioath-desktop

    (pkgs.writers.writeDashBin "gpg-reset-yubikey-id" ''
      echo "reset gpg to make new key available"
      set -x
      set -e
      ${pkgs.psmisc}/bin/killall gpg-agent
      rm -r ~/.gnupg/private-keys-v1.d/
      echo "now the new key should work"
    '')

  ];

  # use gpg for ssh
  # ---------------
  environment.shellInit = ''
    export GPG_TTY="$(tty)"
    gpg-connect-agent /bye
    export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
  '';
  programs = {
    ssh.startAgent = false;
    gnupg.agent = {
      enable = true;
      enableSSHSupport = true;
    };
  };

  # use for pam (sudo)
  # --------------------------
  security.pam.u2f.enable = true;
  security.pam.u2f.authFile =
    toString config.sops.secrets.yubikey_u2fAuthFile.path;
  sops.secrets.yubikey_u2fAuthFile = { };

}