{
  pkgs,
  config,
  lib,
  ...
}:
let
  inherit (config.grimmShared) enable tooling graphical;
  inherit (lib)
    optional
    optionals
    filterAttrs
    mkForce
    mkIf
    attrNames
    mkEnableOption
    ;
in
{
  config = mkIf enable {
    security.polkit.enable = true;
    security.rtkit.enable = true;

    security.pam.yubico = {
      enable = true;
      id = [ "26681512" ];
      # debug = true;
      mode = "challenge-response";
      control = lib.mkDefault "sufficient";
    };

    # security.doas.enable = true;
    security.sudo.enable = true;
    
    security.doas.extraRules = [
      {
        users = attrNames (filterAttrs (n: v: v.isNormalUser) config.users.users);
        keepEnv = true;
        persist = true;
      }
    ];

    environment.systemPackages =
      (with pkgs; [
        mkpasswd
        gnupg
        libsecret
        vulnix
        agenix

        yubikey-manager
        yubico-pam
        yubikey-personalization
      ])
      ++ (optionals (tooling.enable && tooling.pass) [
        pkgs.pass
        (pkgs.writeShellScriptBin "passw" "pass $@")
      ])
      ++ (optional config.security.doas.enable pkgs.sudo-doas-shim)
      ++ (optional graphical pkgs.lxqt.lxqt-policykit);

    services.passSecretService.enable = mkIf (tooling.enable && tooling.pass) true;
    services.openssh.settings.LoginGraceTime = 0;
    programs.gnupg.agent = {
      settings = {
        # default-cache-ttl = 6000;
      };
      pinentryPackage = mkForce (if graphical then pkgs.pinentry-qt else pkgs.pinentry-tty);
      enable = true;
      enableSSHSupport = true;
    };

    grimmShared.firefox.plugins = mkIf (tooling.enable && tooling.pass) { "passff@invicem.pro" = "passff"; };
  };

  options.grimmShared.tooling.pass = mkEnableOption "Enables password-store, gnupg and such secret handling";
}