{
  pkgs,
  config,
  lib,
  ...
}:
/*
# to enroll a yubikey (works like .ssh/known_hosts)
nix-shell -p pam_u2f
mkdir -p ~/.config/Yubico
pamu2fcfg > ~/.config/Yubico/u2f_keys
pamu2fcfg -n >> ~/.config/Yubico/u2f_keys (to add additional yubikeys)

# to test auth with pam
nix-shell -p pamtester
pamtester login <username> authenticate
pamtester sudo <username> authenticate
*/
let
  service = "yubikey";
  cfg = config.system.${service};
  sec = config.sops.secrets;
  homelab = config.homelab;
in {
  options.system.${service} = {
    enable = lib.mkEnableOption "enables ${service}";
    mode = lib.mkOption {
      type = lib.types.str;
      default = "u2f";
      description = "weather to run pam in u2f or challenge-response)";
    };
    lock_on_remove = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = "enable automatic locking of device upon removal of yubikey";
    };
  };

  config = lib.mkIf cfg.enable {

    environment.systemPackages = with pkgs; [
      yubikey-personalization
      yubikey-manager
    ];

    # enable smartcard
    services.pcscd.enable = true;

    security.pam.services = lib.mkIf (cfg.mode == "u2f") {
      login.u2fAuth = true;
      sudo.u2fAuth = true;
    };

    security.pam.yubico = lib.mkIf (cfg.mode == "challenge-response") {
      enable = true;
      debug = true;
      mode = "challenge-response";
      id = ["<placeholder>"];
    };

    services.udev.extraRules = lib.mkIf (cfg.lock_on_remove == true) ''
      ACTION=="remove",\
       ENV{ID_BUS}=="usb",\
       ENV{ID_MODEL_ID}=="0407",\
       ENV{ID_VENDOR_ID}=="1050",\
       ENV{ID_VENDOR}=="Yubico",\
       RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
    '';
  };
}