{
  config,
  lib,
  pkgs,
  ...
}:
with lib; let
  cfg = config.local.hardware.yubico;
in {
  options = {
    local.hardware.yubico = {
      enable = mkEnableOption "Yubico hardware support";

      pamAuth = mkOption {
        type = lib.types.bool;
        default = false;
      };
    };

    security.pam.services = mkOption {
      type = with lib.types;
        attrsOf (submodule {
          config.u2fAuth = lib.mkDefault false;
        });
    };
  };

  config = mkIf cfg.enable {
    environment.etc."pkcs11/modules/ykcs11".text = ''
      module: ${pkgs.yubico-piv-tool}/lib/libykcs11.so
    '';

    security.pam = mkIf cfg.pamAuth {
      u2f = {
        enable = true;
        control = "sufficient";

        settings = {
          authfile = "/var/trust/pam_u2f_keys";
          cue = true;
          pinverification = 1;
          userpresence = 0;
          userverification = 0;
        };
      };

      services = {
        gtklock.u2fAuth = true;
        login.u2fAuth = true;
        su.u2fAuth = true;
        sudo.u2fAuth = true;
        systemd-run0.u2fAuth = true;
        vlock.u2fAuth = true;
      };
    };

    services = {
      pcscd.enable = true;
      udev.packages = [pkgs.yubikey-personalization];
    };
  };
}