{
  config,
  lib,
  pkgs,
  ...
}:
with lib; let
  cfg = config.local.hardware.athena;

  athena = pkgs.local.athena-bccr.${cfg.release};
in {
  options.local.hardware.athena = {
    enable = mkEnableOption "Athena ASEDrive III smartcard reader";

    release = mkOption {
      type = types.str;
      default = "latest";
      description = "athena-bccr release tag";
    };
  };

  config = mkIf cfg.enable {
    environment = {
      etc = {
        "Athena".source = "${athena.ase-pkcs11}/etc/Athena";

        "pkcs11/modules/asep11".text = ''
          module: ${athena.libasep11}
        '';
      };

      systemPackages = [athena.ase-pkcs11];
    };

    #FIXME: Extremadamente peligroso si BCCR o MICITT caen, investigar política nacional de root CA
    security.pki.certificateFiles = ["${athena.bccr-cacerts}/root-ca.pem"];

    services = {
      pcscd.enable = true;

      #TODO: Sería mejor agregar un grupo separado
      udev.extraRules = ''
        # Athena Smartcard Solutions, Inc. ASEDrive V3CR
        ATTRS{idVendor}=="0dc3", ATTRS{idProduct}=="1004", MODE="660", GROUP="users", TAG+="uaccess"
      '';
    };
  };
}