{ config, pkgs, lib, ... }:

let
  cfg = config.ctucxConfig.programs.gpg;

in {

  options = {
    ctucxConfig.programs.gpg = {
      enable = lib.mkEnableOption "gpg";
    };
  };

  config = lib.mkIf cfg.enable {
    services = {
      pcscd.enable  = (if pkgs.stdenv.isLinux then true else false);
      udev.packages = (if pkgs.stdenv.isLinux then (with pkgs; [ libu2f-host yubikey-personalization ]) else []);
      dbus.packages = (if pkgs.stdenv.isLinux then (with pkgs; [ gcr ]) else []);
    };

    home-manager.users.katja = {
      xdg = lib.mkIf pkgs.stdenv.isLinux {
        desktopEntries = {
          gscriptor = {
            name        = "gscriptor";
            settings    = {
              NoDisplay = "true";
            };
          };
        };
      };

      home = {
        packages = lib.mkIf pkgs.stdenv.isLinux [ pkgs.pcsctools ];

        sessionVariables = {
          GNUPGHOME     = lib.mkForce "$HOME/.gnupg";
        };

        shellAliases = {
          gpg-card-relearn = "gpg-connect-agent 'scd serialno' 'learn --force' /bye";
        };

        file = lib.mkIf pkgs.stdenv.isDarwin {
          ".gnupg/gpg-agent.conf".text = ''
            enable-ssh-support
            pinentry-program ${pkgs.pinentry_mac}/Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac
          '';
        };
      };

      wayland.windowManager.sway.extraConfig = ''
          exec_always 'gpgconf --kill gpg-agent'
      '';

      programs = {
        gpg = {
          enable       = true;
          mutableTrust = true;
          mutableKeys  = true;

          publicKeys = [

            # my own key
            {
              trust = "ultimate";
              source = "${pkgs.ctucx-website}/gpg_pubkey.asc";
            }
            {
              trust = "ultimate";
              source = "${pkgs.ctucx-website}/gpg_pubkey_leah.asc";
            }

            # f2k1de's key
            {
              trust = "full";
              source = (pkgs.fetchurl {
                url    = "https://f2k1.de/gpg-key.asc";
                sha256 = "sha256-GvrsMDokWphfIAiabJTzNNzbHP7QtWkt2cn3piGBdzc";
              });
            }

          ];

          settings = {
            keyserver = "hkps://keyserver.ubuntu.com:443";
          };

          scdaemonSettings = {
            disable-ccid = true;
          };
        };

        bash.initExtra = ''
          export GPG_TTY=$(tty)
          export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
          gpgconf --launch gpg-agent
        '';


        git.signing = {
          key           = "4F1D8CCB";
          signByDefault = true;
        };
    	};

      services = lib.mkIf pkgs.stdenv.isLinux {
        gpg-agent = {
          enable             = true;
          enableSshSupport   = true;
          enableExtraSocket  = true;

          pinentryPackage    = pkgs.pinentry-gnome3;

          defaultCacheTtl    = 600;
          defaultCacheTtlSsh = 600;

          sshKeys = [
            "8C11B9BF8B535049F6C87A9CF0C595421E6B8798"
            "29FA1059F28D2ED1C6398F7CFA918605F53786C0"
          ];
        };
      };
    };
  };

}