{
  config,
  lib,
  pkgs,
  ...
}:
with lib; let
  cfg = config.local.sys.yubikey;
in {
  options.local.sys.yubikey = {
    enable = mkEnableOption "yubikey settings";
  };
  config = mkIf cfg.enable {
    services = {
      pcscd.enable = true;
      udev.packages = [pkgs.yubikey-personalization];
    };

    environment.etc."pkcs11/modules/ykcs11".text = ''
      module: ${pkgs.yubico-piv-tool}/lib/libykcs11.so
    '';

    programs.gnupg.agent = {
      enable = true;
      enableSSHSupport = true;
    };

    security.pam = {
      services = {
        login.u2fAuth = true;
        sudo.u2fAuth = true;
      };

      u2f = {
        enable = true;
        control = "sufficient";
        settings = {
          debug = false;
          cue = true;
        };
      };
    };
  };
}