{ flakes, pkgs, lib, config, machineName, ... }:
let
  inherit (config.security) gnupg;
  rootKey = "root/key";
  keygrip = "9AA84E6F6D71F9163C46BF396B141A0806219077";
in
{
security.gnupg.store = flakes.pass + "/machines/${machineName}";
#security.apparmor.policies."bin.ping".enable = false;
services.openssh.extraConfig = ''
  # This is for removing remote gpg-agent's socket
  StreamLocalBindUnlink yes
'';
/*
installer.ssh-nixos = {
  PATH = [pkgs.gnupg pkgs.openssh];
  sshFlags = [
    #"-R" "/var/lib/gnupg/S.gpg-agent.extra:/run/user/1000/gnupg/d.w1sj57hx3zfcwadyxpr6wko9/S.gpg-agent.extra"
    #"-o" "StreamLocalBindUnlink=yes"
  ];
  script = lib.mkBefore ''
    ssh '${config.installer.ssh-nixos.target}' \
    gpg-connect-agent --no-autostart --homedir /var/lib/gnupg "'keyinfo --list'" /bye 2>&1 |
    grep -qx -e "gpg-connect-agent: no gpg-agent running in this session" \
             -e "S KEYINFO ${keygrip} . . . 1 .*" || {
      # Send the rootKey
      gpg --decrypt '${gnupg.store}/${rootKey}.pass.gpg' |
      gpg --batch --pinentry-mode loopback --passphrase-fd 0 --export-secret-subkeys @root@${machineName} |
      ssh '${config.installer.ssh-nixos.target}' \
      gpg --no-autostart --homedir /var/lib/gnupg --no-autostart --batch --pinentry-mode loopback --import

      # Send the rootKey's passphrase
      gpg --decrypt '${gnupg.store}/${rootKey}.pass.gpg' |
      ssh '${config.installer.ssh-nixos.target}' \
      gpg-preset-passphrase --homedir /var/lib/gnupg --preset ${keygrip}
    }
  '';
};
*/
}