{
  pkgs,
  config,
  lib,
  inputs,
  system,
  ...
}:
let
  inherit (config.grimmShared) enable tooling graphical;
  inherit (lib)
    optional
    optionals
    filterAttrs
    mkForce
    mkIf
    attrNames
    mkEnableOption
    ;

  age_plugins = with pkgs; [ age-plugin-yubikey ];
in
{
  config = mkIf enable {
    security.polkit.enable = true;
    security.rtkit.enable = true;

    security.pam.yubico = {
      enable = true;
      id = [ "26681512" ];
      # debug = true;
      mode = "challenge-response";
      control = lib.mkDefault "sufficient";
    };

    # security.doas.enable = true;
    security.sudo.enable = true;

    security.doas.extraRules = [
      {
        users = attrNames (filterAttrs (n: v: v.isNormalUser) config.users.users);
        keepEnv = true;
        persist = true;
      }
    ];

    services.pcscd.enable = true;
    age.ageBin =
      let
        rage_wrapped = pkgs.symlinkJoin {
          name = "rage";
          paths = [ pkgs.rage ];
          buildInputs = [ pkgs.makeWrapper ];
          postBuild = ''
            wrapProgram $out/bin/rage \
              --prefix PATH : ${lib.makeBinPath age_plugins}
          '';
        };
      in
      lib.getExe' rage_wrapped "rage";

    programs.yubikey-touch-detector.enable = graphical;

    environment.systemPackages =
      (with pkgs; [
        mkpasswd
        gnupg
        libsecret
        vulnix
        (inputs.agenix.packages."${system}".default.override { plugins = age_plugins; })

        yubikey-manager
        yubico-pam
        yubikey-personalization
      ])
      ++ age_plugins
      ++ (optionals (tooling.enable && tooling.pass) [
        pkgs.pass
        (pkgs.writeShellScriptBin "passw" "pass $@")
      ])
      ++ (optional config.security.doas.enable pkgs.sudo-doas-shim)
      ++ (optional graphical pkgs.lxqt.lxqt-policykit);

    services.passSecretService.enable = mkIf (tooling.enable && tooling.pass) true;
    services.openssh.settings.LoginGraceTime = 0;
    programs.gnupg.agent = {
      settings = {
        # default-cache-ttl = 6000;
      };
      pinentryPackage = mkForce (if graphical then pkgs.pinentry-qt else pkgs.pinentry-tty);
      enable = true;
      enableSSHSupport = true;
    };

    grimmShared.firefox.plugins = mkIf (tooling.enable && tooling.pass) {
      "passff@invicem.pro" = "passff";
    };
  };

  options.grimmShared.tooling.pass = mkEnableOption "Enables password-store, gnupg and such secret handling";
}