{ config, pkgs, ... }:

{
  home.packages = [ pkgs.pinentry ];
  programs = {
    gpg.enable = true;
    password-store = {
      enable = true;
      package = pkgs.pass.withExtensions
        (exts: with exts; [ pass-otp pass-update pass-audit pass-import ]);
      settings.PASSWORD_STORE_DIR = with config.home;
        "${homeDirectory}/.password-store";
    };
    git.extraConfig.credential.helper =
      "${pkgs.gitFull}/bin/git-credential-libsecret";
  };
  services = {
    gpg-agent = {
      enable = true;
      defaultCacheTtl = 7200;
      defaultCacheTtlSsh = 7200;
      pinentryFlavor = "gtk2";
      extraConfig = ''
        no-allow-external-cache
        allow-emacs-pinentry
        allow-loopback-pinentry
      '';
    };
    password-store-sync.enable = true;
  };
}