{ config, lib, pkgs, ... }:

let cfg = config.local.yubikey; in
{
  options.local.yubikey = with lib; {
    enable = mkEnableOption "yubikey";
  };

  config = lib.mkIf cfg.enable {
    environment.systemPackages = [ pkgs.yubikey-manager pkgs.yubikey-personalization ];

    security.pam.u2f = {
      enable = true;
      control = "required";
    };

    services.udev.packages = [ pkgs.yubikey-personalization ];
    security.pam.services = {
      login.u2fAuth = true;
      sudo.u2fAuth = true;
    };
    services.pcscd.enable = true;

    services.udev.extraRules = lib.mkIf config.programs.xss-lock.enable ''
      ACTION=="remove",\
       ENV{DEVTYPE}=="usb_device",\
       ENV{PRODUCT}=="1050/402/543",\
       RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
    '';
  };
}