{ pkgs, lib, config, nixosConfig, ... }:
{
  /*
    home.activation.gnupg = lib.hm.dag.entryAfter ["writeBoundary"] ''
    install -d -m700 ${lib.escapeShellArg config.programs.gpg.homedir}
    '';
  */
  services.gpg-agent = {
    enable = true;
    enableSshSupport = true;
    enableExtraSocket = true;
    pinentryFlavor = lib.mkDefault (if nixosConfig.services.xserver.enable then "gtk2" else "curses");
  };
  programs.gpg.enable = true;
  programs.gpg.settings = {
    #auto-key-locate = "keyserver";
    auto-key-locate = false;
    cert-digest-algo = "SHA512";
    charset = "utf-8";
    default-keyring = false;
    default-preference-list = "SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 TWOFISH BZIP2 ZLIB ZIP Uncompressed";
    emit-version = false;
    fixed-list-mode = true;
    keyid-format = "0xlong";
    keyserver-options = "no-honor-keyserver-url";
    personal-cipher-preferences = "AES256 AES CAST5";
    personal-digest-preferences = "SHA512";
    quiet = true;
    s2k-cipher-algo = "AES256";
    s2k-count = "65536";
    s2k-digest-algo = "SHA512";
    s2k-mode = "3";
    tofu-default-policy = "unknown";
    trust-model = "tofu+pgp";
    #with-fingerprint = [ true true ];
    use-agent = true;
    utf8-strings = true;
  };
  home.file."${config.programs.gpg.homedir}/dirmngr.conf".text = ''
    allow-ocsp
    keyserver hkps://keys.openpgp.org
    #use-tor
    #log-file dirmngr.log
    #standard-resolver
  '';
  home.packages = lib.mkIf config.programs.gpg.enable [
    (pkgs.pass.withExtensions (ext: with ext; [
      pass-audit
      pass-checkup
      pass-file
      pass-genphrase
      pass-import
      pass-otp
      pass-tomb
      pass-update
    ]))
  ];
}