{
  pkgs,
  config,
  lib,
  ...
}:
let
  cfg = config.grimmShared;
in
{
  config =
    with cfg;
    lib.mkIf enable {
      security.polkit.enable = true;
      security.rtkit.enable = true;

      security.doas.enable = true;
      security.sudo.enable = false;
      security.doas.extraRules = [
        {
          users = lib.attrNames (lib.filterAttrs (n: v: v.isNormalUser) config.users.users);
          keepEnv = true;
          persist = true;
        }
      ];

      environment.systemPackages =
        with pkgs;
        [
          mkpasswd
          gnupg
          libsecret
          vulnix
          doas-sudo-shim # muscle memory
          agenix
        ]
        ++ lib.optionals (tooling.enable && tooling.pass) [
          pass
          (writeShellScriptBin "passw" "pass $@")
        ]
        ++ lib.optional graphical lxqt.lxqt-policykit;

      services.passSecretService.enable = lib.mkIf (tooling.enable && tooling.pass) true;
      programs.gnupg.agent = {
        settings = {
          # default-cache-ttl = 6000;
        };
        pinentryPackage = with pkgs; lib.mkForce (if graphical then pinentry-qt else pinentry-tty);
        enable = true;
      };
    };

  options.grimmShared.tooling.pass = lib.mkEnableOption "Enables password-store, gnupg and such secret handling";
}