{
  config,
  lib,
  pkgs,
  ...
}:

let
  gpg_test_wkd =
    (pkgs.writeScriptBin "gpg_test_wkd" (builtins.readFile ./files/gpg_test_wkd.bash)).overrideAttrs
      (old: {
        buildCommand = "${old.buildCommand}\n patchShebangs $out";

      });
in
{
  imports = [ ];

  options.me = {
    gpg.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install gpg.";
    };
  };

  config = lib.mkIf config.me.gpg.enable (
    lib.mkMerge [
      {
        # Fetch public keys:
        # gpg --locate-external-keys tom@fizz.buzz

        hardware.gpgSmartcards.enable = true;
        services.udev.packages = [
          pkgs.yubikey-personalization
          pkgs.libfido2
          (pkgs.writeTextFile {
            name = "my-rules";
            text = ''
              ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0406", MODE="660", GROUP="wheel"
              KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0406", TAG+="uaccess", GROUP="wheel", MODE="0660"
            '';
            destination = "/etc/udev/rules.d/50-yubikey.rules";
          })
        ];
        services.pcscd.enable = true;

        me.install.user.talexander.file = {
          ".gnupg/scdaemon.conf" = {
            source = ./files/scdaemon.conf;
          };
        };

        programs.gnupg.agent = {
          enable = true;
          enableSSHSupport = true;
          pinentryPackage = pkgs.pinentry-qt;
          # Settings block populates /etc/gnupg/gpg-agent.conf
          # settings = {
          # };
        };

        # Disabled because it breaks signing git commits because gpg wants to copy pubring.kbx. Unfortunately, this makes the install of scdaemon.conf do nothing since this mount of the full .gnupg directory goes over it.
        #
        # environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
        #   hideMounts = true;
        #   users.talexander = {
        #     files = [
        #       {
        #         file = ".gnupg/trustdb.gpg";
        #         parentDirectory = {
        #           mode = "u=rwx,g=,o=";
        #         };
        #       }
        #       {
        #         file = ".gnupg/pubring.kbx";
        #         parentDirectory = {
        #           mode = "u=rwx,g=,o=";
        #         };
        #       }
        #       {
        #         file = ".gnupg/tofu.db";
        #         parentDirectory = {
        #           mode = "u=rwx,g=,o=";
        #         };
        #       }
        #     ];
        #     directories = [
        #       {
        #         directory = ".gnupg/crls.d";
        #         user = "talexander";
        #         group = "talexander";
        #         mode = "0700";
        #       }
        #       {
        #         directory = ".gnupg/private-keys-v1.d";
        #         user = "talexander";
        #         group = "talexander";
        #         mode = "0700";
        #       }
        #     ];
        #   };
        # };

        environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
          hideMounts = true;
          users.talexander = {
            directories = [
              {
                directory = ".gnupg";
                user = "talexander";
                group = "talexander";
                mode = "0700";
              }
            ];
          };
        };

        environment.systemPackages = with pkgs; [
          pcsclite
          pcsctools
          glibcLocales
          ccid
          libusb-compat-0_1
          gpg_test_wkd
        ];

        programs.gnupg.agent.enableExtraSocket = true;
      }
    ]
  );
}