{ config, lib, pkgs, ... }:
let
  cfg = config.custom.pgp;
in {
  options.custom.pgp.enable = lib.mkEnableOption "Enable PGP Gnupgp";

  config = lib.mkIf cfg.enable {
    # 1. Provide the bridge to pcscd
    home.file.".gnupg/scdaemon.conf".text = ''
      disable-ccid
      pcsc-driver ${pkgs.pcsclite.lib}/lib/libpcsclite.so.1
    '';

    # 2. Configure the Agent
    services.gpg-agent = {
      enable = true;
      enableSshSupport = true;
      enableZshIntegration = true;
      pinentry.package = pkgs.pinentry-curses;

      # Removed 'disable-scdaemon' so it can actually talk to our config above
      extraConfig = ''
        allow-loopback-pinentry
      '';
    };

    # 3. Standard GPG settings
    programs.gpg = {
      enable = true;
      settings = {
        use-agent = true;
        personal-cipher-preferences = "AES256 AES192 AES";
        personal-digest-preferences = "SHA512 SHA384 SHA256";
        cert-digest-algo = "SHA512";
        s2k-digest-algo = "SHA512";
        s2k-cipher-algo = "AES256";
        charset = "utf-8";
        fixed-list-mode = "";
        no-comments = "";
        no-emit-version = "";
        no-greeting = "";
        keyid-format = "0xlong";
        list-options = "show-uid-validity";
        verify-options = "show-uid-validity";
        with-fingerprint = "";
        require-cross-certification = "";
        no-symkey-cache = "";
      };
    };

    home.packages = [ pkgs.gnupg pkgs.pcsclite ];
  };
}