machines/nix/modules/nixos/security/yubikey/default.nix

{
  config,
  lib,
  pkgs,
  ...
}:
let
  cfg = config.khscodes.security.yubikey;
in
{
  options.khscodes.security.yubikey = {
    enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
    };
  };
  config = lib.mkIf cfg.enable {
    services.pcscd.enable = true;
    services.udev.packages = [ pkgs.yubikey-personalization ];

    environment.systemPackages = [
      pkgs.yubikey-manager
      pkgs.yubico-piv-tool
    ];

    programs.gnupg.agent = {
      enable = true;
      enableSSHSupport = true;
    };
  };
}