{ pkgs, ... }:

let
  keys = [
    # username of YubiKey owner (me! :3)
    "mel"

    # "carnal" YubiKey
    "7dYKqa9yw69hXwmYd61Bw0hnnxbSsASieIBmokmbAHArJexkPz+TGRVdXW2U8QiLAoe9l1QKo3jrtQxxbBiuFQ==,N7bABlRz0DvIqwxgBnTiyNZ4/JnRIRUEhVk+95h7+KtbTYdnoGnSaqiiimGQxTWxOHfpHbuii127f0HUwYPmXw==,es256,+presence"
    # "anatomy" YubiKey
    "//CLbB23LlMtMwefGzrMVELgTkIcfMRSjxJlQDvQ3FKRrlyPA75rosYVl5tqQbkPyed0fwsAkr1vhqPtth4GMQ==,VwxKl0ZYDmCTU02ziMigG1ZVC1MXDH9qeuBT1qplw1pt++tV32xao/yHayiRc2hvbJdJjfplQxT7mLnW90u9WQ==,es256,+presence"
  ];

  authFile = pkgs.writeText "u2f_mappings" (builtins.concatStringsSep ":" keys);
in
{
  programs = {
    yubikey-touch-detector = {
      enable = true;
      libnotify = true;
    };
  };

  services = {
    yubikey-agent.enable = true;
  };

  # see `modules/home/yubikeys.nix` for the YubiKey
  # universal second factor (u2f) configuration file.
  security = {
    pam = {
      services = {
        login = {
          u2fAuth = true;
          # TODO: figure out how to use hardware keys for login on moissanite
          unixAuth = true; # careful
        };
        sudo = {
          u2fAuth = true;
          unixAuth = true;
        };
      };

      u2f = {
        enable = true;
        settings = {
          cue = true;
          pinverification = 1;
          authfile = authFile;
        };
      };

      mount.enable = true;
    };
  };

  services.udev.packages = with pkgs; [
    yubikey-personalization
  ];

  environment.systemPackages = with pkgs; [
    yubikey-manager
    yubioath-flutter
    yubikey-personalization
    yubikey-personalization-gui
    yubikey-touch-detector # install icon
    age-plugin-yubikey
    pam_u2f
  ];
}