{
  pkgs,
  config,
  lib,
  ...
}:
let
  inherit (config.grimmShared) enable tooling graphical;
  inherit (lib)
    optional
    optionals
    filterAttrs
    mkForce
    mkIf
    attrNames
    mkEnableOption
    ;
in
{
  config = mkIf enable {
    security.polkit.enable = true;
    security.rtkit.enable = true;

    security.doas.enable = true;
    security.sudo.enable = false;
    security.doas.extraRules = [
      {
        users = attrNames (filterAttrs (n: v: v.isNormalUser) config.users.users);
        keepEnv = true;
        persist = true;
      }
    ];

    environment.systemPackages =
      (with pkgs; [
        mkpasswd
        gnupg
        libsecret
        vulnix
        doas-sudo-shim # muscle memory
        agenix
      ])
      ++ optionals (tooling.enable && tooling.pass) [
        pkgs.pass
        (pkgs.writeShellScriptBin "passw" "pass $@")
      ]
      ++ optional graphical pkgs.lxqt.lxqt-policykit;

    services.passSecretService.enable = mkIf (tooling.enable && tooling.pass) true;
    programs.gnupg.agent = {
      settings = {
        # default-cache-ttl = 6000;
      };
      pinentryPackage = mkForce (if graphical then pkgs.pinentry-qt else pkgs.pinentry-tty);
      enable = true;
    };
  };

  options.grimmShared.tooling.pass = mkEnableOption "Enables password-store, gnupg and such secret handling";
}