{
  pkgs,
  lib,
  cfg,
  doctrine,
  ...
}: let
  athena = pkgs.${doctrine.prefix}.athena-bccr.${cfg.release};
in {
  environment = {
    etc = {
      "Athena".source = "${athena.ase-pkcs11}/etc/Athena";

      "pkcs11/modules/asep11".text = ''
        module: ${athena.libasep11}
      '';
    };

    systemPackages = [athena.ase-pkcs11];
  };

  security = {
    #FIXME: Extremadamente peligroso si BCCR o MICITT caen, investigar política nacional de root CA
    pki.certificateFiles = ["${athena.bccr-cacerts}/root-ca.pem"];

    polkit = {
      enable = lib.mkDefault true;

      extraConfig = ''
        polkit.addRule(function(action, subject) {
            if ((action.id == "org.debian.pcsc-lite.access_pcsc" || action.id == "org.debian.pcsc-lite.access_card") &&
                subject.isInGroup("users")) {
                    return polkit.Result.YES;
            }
        });
      '';
    };
  };

  services = {
    pcscd.enable = true;

    udev.extraRules = ''
      # Athena Smartcard Solutions, Inc. ASEDrive V3CR
      ATTRS{idVendor}=="0dc3", ATTRS{idProduct}=="1004", MODE="660", GROUP="${cfg.group}", TAG+="uaccess"
    '';
  };

  users.groups.${cfg.group} = {};
}