{ lib, pkgs, ... }:
{
  security = {
    rtkit.enable = lib.mkDefault true;

    pam.u2f = {
      enable = true;
      settings.cue = true;
    };

    # configure sudo
    sudo.enable = lib.mkDefault false;
    sudo-rs = {
      enable = lib.mkDefault true;
      extraRules = [
        {
          commands = [
            {
              command = "${lib.getExe' pkgs.systemd "systemctl"} suspend";
              options = [ "NOPASSWD" ];
            }
            {
              command = "${lib.getExe' pkgs.systemd "reboot"}";
              options = [ "NOPASSWD" ];
            }
            {
              command = "${lib.getExe' pkgs.systemd "poweroff"}";
              options = [ "NOPASSWD" ];
            }
          ];
          groups = [ "wheel" ];
        }
      ];
    };
  };

  environment.systemPackages = with pkgs; [
    age-plugin-yubikey
    libsecret
    yubikey-manager
    yubikey-personalization
    yubioath-flutter
  ];

  services = {
    yubikey-agent.enable = true;
    passSecretService.enable = false;
    pcscd.enable = true;
  };

  programs = {
    yubikey-touch-detector = {
      enable = true;
    };
  };
}