{
  pkgs,
  lib,
  cfg,
  doctrine,
  ...
}: let
  athena = pkgs.${doctrine.prefix}.athena-bccr.${cfg.release};
  inherit (athena) vendor;
in {
  environment = {
    etc =
      {
        "pkcs11/modules/${vendor}".text = ''
          module: ${athena.pkcs11-module}
        '';
      }
      // lib.optionalAttrs (vendor == "athena") {
        "Athena".source = "${athena.card-driver.lib}/etc/Athena";
      }
      // lib.optionalAttrs (vendor == "idopte") {
        "idoss.conf".source = "${athena.card-driver.lib}/etc/idoss.conf";
        "idoss.lic".source = "${athena.card-driver.lib}/etc/idoss.lic";
      };

    systemPackages = [athena.card-driver];
  };

  security = {
    #FIXME: Extremadamente peligroso si BCCR o MICITT caen, investigar política nacional de root CA
    pki.certificateFiles = ["${athena.bccr-cacerts}/root-ca.pem"];

    polkit = {
      enable = lib.mkDefault true;

      extraConfig = ''
        polkit.addRule(function(action, subject) {
            if ((action.id == "org.debian.pcsc-lite.access_pcsc" || action.id == "org.debian.pcsc-lite.access_card") &&
                subject.isInGroup("users")) {
                    return polkit.Result.YES;
            }
        });
      '';
    };
  };

  services = {
    pcscd.enable = true;

    udev.extraRules = ''
      # Athena Smartcard Solutions, Inc. ASEDrive V3CR
      ATTRS{idVendor}=="0dc3", ATTRS{idProduct}=="1004", MODE="660", GROUP="${cfg.group}", TAG+="uaccess"
    '';
  };

  users.groups.${cfg.group} = {};
}