nix-config/modules/nixos/security/common/default.nix

{ config, namespace, lib, pkgs, ... }:
let
  hasGui = config.${namespace}.desktop.hyprland.enable || config.${namespace}.desktop.gnome.enable || config.${namespace}.desktop.cosmic.enable;
in
{
  security = {
    rtkit.enable = lib.mkDefault true;

    pam.u2f = {
      enable = true;
      settings.cue = true;
    };

    # configure sudo
    sudo.enable = lib.mkForce false;
    sudo-rs = {
      enable = lib.mkForce true;
      extraRules = [
        {
          commands = [
            {
              command = "${lib.getExe' pkgs.systemd "systemctl"} suspend";
              options = [ "NOPASSWD" ];
            }
            {
              command = "${lib.getExe' pkgs.systemd "reboot"}";
              options = [ "NOPASSWD" ];
            }
            {
              command = "${lib.getExe' pkgs.systemd "poweroff"}";
              options = [ "NOPASSWD" ];
            }
          ];
          groups = [ "wheel" ];
        }
      ];
    };
  };

  environment.systemPackages = with pkgs; [
    age-plugin-yubikey
    libsecret
    yubikey-manager
    yubikey-personalization
  ] ++ (if hasGui then [ yubioath-flutter ] else [ ]);

  services = {
    yubikey-agent.enable = true;
    passSecretService.enable = false;
    pcscd.enable = true;
  };

  programs = {
    yubikey-touch-detector = {
      enable = true;
    };
  };
}