{ config, lib, pkgs, ... }:
let cfg = config.my.home.pass;
in
{
  options.my.home.pass = with lib; {
    enable = mkEnableOption "pass configuration";
  };
  config = lib.mkIf cfg.enable {
    programs.password-store = {
      enable = true;
      settings = {
        PASSWORD_STORE_DIR = "${config.xdg.dataHome}/password-store";
        PASSWORD_STORE_GENERATED_LENGTH = "30";
        PASSWORD_STORE_CHARACTER_SET = "a-zA-Z0-9~!@#$%^&*()-_=+[]{};:,.<>?";
        PASSWORD_STORE_KEY = config.programs.gpg.settings.default-key;
      };
    };


    home.sessionVariables = {
      PASSAGE_DIR = "${config.xdg.dataHome}/passage/store";
      # for now I have to default to rage, as the version of age is
      # not recent enough to work with keys generated by
      # age-plugin-yubikey
      PASSAGE_AGE = "${pkgs.rage}/bin/rage";
    };

    home.packages = with pkgs; [
      passage
      tree
    ];

    programs.git = {
      extraConfig = {
        credential = {
          helper = "${pkgs.gitAndTools.pass-git-helper}/bin/pass-git-helper";
          useHttpPath = true;
        };
      };
    };

    xdg.configFile."pass-git-helper/git-pass-mapping.ini" = {
      source = ./git-pass-mapping.ini;
    };

    services.password-store-sync.enable = true;

    # Ensure the password store things are in the systemd session
    systemd.user.sessionVariables = config.programs.password-store.settings;
  };
}