{ pkgs, config, lib, inputs, system, ... }:
let
  cfg = config.grimmShared;
in
{
  config = with cfg; lib.mkIf enable {
    security.polkit.enable = true;
    networking.firewall.enable = lib.mkIf network true;
    security.rtkit.enable = true;

    security.doas.enable = true;
    security.sudo.enable = false;
    security.doas.extraRules = [{
      users = lib.attrNames (lib.filterAttrs (n: v: v.isNormalUser) config.users.users);
      keepEnv = true;
      persist = true;
    }];

    environment.systemPackages = with pkgs; [
      mkpasswd
      gnupg
      libsecret
      vulnix
      doas-sudo-shim # muscle memory
      inputs.agenix.packages.${system}.default
    ] ++ lib.optionals (tooling.enable && tooling.pass) [
      pass
      (writeShellScriptBin "passw" "pass $@")
    ] ++ lib.optional graphical lxqt.lxqt-policykit;

    services.passSecretService.enable = lib.mkIf (tooling.enable && tooling.pass) true;
    programs.gnupg.agent = {
      settings = {
        # default-cache-ttl = 6000;
      };
      pinentryPackage = with pkgs; lib.mkForce (if graphical then pinentry-qt else pinentry-tty);
      enable = true;
    };
  };
}