{
  config,
  lib,
  pkgs,
  ...
}:
with lib; let
  cfg = config.local.services.gpg;
in {
  options.local.services.gpg = {
    enable = mkEnableOption "gpg settings";
    defaultKey = mkOption {
      type = types.str;
      description = "fingerprint of default public key to be used in gpg, git, email, etc.";
      example = "7AA277E604A4173916BBB4E91FFAC35E1798174F";
    };
  };
  config = mkIf cfg.enable {
    programs.gpg = {
      enable = true;
      settings = {
        default-key = config.local.services.gpg.defaultKey;
      };
    };

    services.gpg-agent = {
      enable = true;

      enableZshIntegration = true;
      enableBashIntegration = true;

      enableExtraSocket = true;
      enableSshSupport = true;

      defaultCacheTtl = 3600 * 3;
      defaultCacheTtlSsh = 3600 * 3;

      maxCacheTtl = 3600 * 6;
      maxCacheTtlSsh = 3600 * 6;

      pinentryPackage = pkgs.pinentry-emacs;
    };

    accounts.email.accounts = {
      "fabian@posixlycorrect.com" = {
        gpg = {
          encryptByDefault = true;
          signByDefault = true;
          key = config.local.services.gpg.defaultKey;
        };
      };
    };

    programs.git = {
      signing = {
        key = config.local.services.gpg.defaultKey;
        signByDefault = true;
      };
    };
  };
}