{ pkgs, config, lib, ... }:
let cfg = config.my.home.gpg;
in
{
  options.my.home.gpg = with lib; {
    enable = mkEnableOption "gpg configuration";
    pinentry = mkOption {
      type = types.str;
      default = "tty";
      example = "gnome3";
      description = "Which pinentry interface to use";
    };
    defaultKey = mkOption {
      type = types.str;
      default = null;
      description = "Default GPG key";
    };
  };

  config = lib.mkIf cfg.enable {
    home.packages = with pkgs; [ yubikey-manager ];

    programs.gpg = {
      enable = true;
      homedir = "${config.xdg.configHome}/gnupg";
      settings = {
        default-key = cfg.defaultKey;
        personal-cipher-preferences = "AES256 AES192 AES";
        personal-digest-preferences = "SHA512 SHA384 SHA256";
        personal-compress-preferences = "ZLIB BZIP2 ZIP Uncompressed";
        keyid-format = "long";
        with-fingerprint = true;
      };
    };
    services.gpg-agent = {
      enable = false;
      enableSshSupport = false; # ensure we're not defaulting to GPG
      pinentryFlavor = cfg.pinentry;
      extraConfig = ''
        allow-loopback-pinentry
      '';
    };
  };
}