{ config
, lib
, pkgs
, ...
}:

with lib;
let
  cfg = config.my.yubikey;
in
{
  options.my.yubikey = {
    enable = mkEnableOption "yubikey";
    luksSupport = {
      enable = mkEnableOption "fido2 luks support";
      devices = mkOption {
        type = types.listOf types.str;
        default = [ ];
        description = "List of luks devices to enable fido2 support for.";
      };
    };
  };


  config = mkIf cfg.enable {
    services.udev.packages = [ pkgs.yubikey-personalization ];
    environment.systemPackages = with pkgs; [
      # cli
      yubikey-manager
      yubikey-personalization
      paperkey
      # graphical
      yubikey-manager-qt
      yubikey-personalization-gui
    ];

    boot = mkIf cfg.luksSupport.enable {
      initrd.systemd.enable = true;
      initrd.luks.devices = genAttrs cfg.luksSupport.devices (_: {
        crypttabExtraOpts = [ "fido2-device=auto" ];
      });
    };
  };
}