{
  pkgs,
  lib,
  config,
  nixosConfig,
  ...
}:
{
  /*
    home.activation.gnupg = lib.hm.dag.entryAfter ["writeBoundary"] ''
    install -d -m700 ${lib.escapeShellArg config.programs.gpg.homedir}
    '';
  */
  services.gpg-agent = {
    enable = true;
    enableSshSupport = true;
    enableExtraSocket = true;
    pinentryPackage = lib.mkDefault (
      if nixosConfig.services.xserver.enable then pkgs.pinentry-gtk2 else pkgs.pinentry-curses
    );
  };
  programs.gpg.enable = true;
  programs.gpg.settings = {
    #auto-key-locate = "keyserver";
    auto-key-locate = false;
    cert-digest-algo = "SHA512";
    charset = "utf-8";
    default-keyring = false;
    default-preference-list = "SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 TWOFISH BZIP2 ZLIB ZIP Uncompressed";
    emit-version = false;
    fixed-list-mode = true;
    keyid-format = "0xlong";
    keyserver-options = "no-honor-keyserver-url";
    personal-cipher-preferences = "AES256 AES CAST5";
    personal-digest-preferences = "SHA512";
    quiet = true;
    s2k-cipher-algo = "AES256";
    s2k-count = "65536";
    s2k-digest-algo = "SHA512";
    s2k-mode = "3";
    tofu-default-policy = "unknown";
    trust-model = "tofu+pgp";
    #with-fingerprint = [ true true ];
    use-agent = true;
    utf8-strings = true;
  };
  home.file."${config.programs.gpg.homedir}/dirmngr.conf".text = ''
    allow-ocsp
    keyserver hkps://keys.openpgp.org
    #use-tor
    #log-file dirmngr.log
    #standard-resolver
  '';
  home.packages = lib.mkIf config.programs.gpg.enable [
    (pkgs.pass.withExtensions (
      ext: with ext; [
        pass-audit
        pass-checkup
        #pass-file
        pass-genphrase
        pass-import
        pass-otp
        pass-tomb
        pass-update
      ]
    ))
  ];
}