{
  config,
  lib,
  pkgs,
  ...
}:
{

  environment.systemPackages = with pkgs; [
    libyubikey
    yubico-pam
    yubikey-manager
    yubikey-personalization
    yubico-piv-tool
    pcsctools
    opensc
    usbutils
    ssh-to-age
    age-plugin-yubikey
  ];

  # mutableUsers = false; TODO: blocked by https://github.com/Mic92/sops-nix/pull/680

  programs.adb.enable = true;
  security.pam.services = {
    login.u2fAuth = true;
    sudo.u2fAuth = true;
  };
  
  services.pcscd = {
    enable = false; # dependency of yubikey agent
    plugins = [ pkgs.libykneomgr ];
  };
  services.udev.packages = [ pkgs.yubikey-personalization ];

  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
    enableExtraSocket = true;
  };
}