{ config, lib, pkgs, ... }:
let cfg = config.profiles.security;
in
{
  options.profiles.security = {
    enable = lib.mkEnableOption
      "Profile for security-related packages";
  };

  config = lib.mkIf cfg.enable {
    home.packages = [
      pkgs.yubikey-manager
      pkgs.age-plugin-yubikey

      pkgs.bitwarden
      pkgs.bitwarden-cli

      pkgs.keyutils

      pkgs.protonvpn-gui
    ];

    systemd.user = lib.mkIf pkgs.stdenv.isLinux {
      sockets.yubikey-touch-detector = {
        Unit.Description = "Unix socket activation for YubiKey touch detector service";
        Socket = {
          ListenStream = "%t/yubikey-touch-detector.socket";
          RemoveOnStop = true;
        };
        Install.WantedBy = [ "sockets.target" ];
      };

      services.yubikey-touch-detector = {
        Unit = {
          Description = "Detects when your YubiKey is waiting for a touch";
          Requires = "yubikey-touch-detector.socket";
        };
        Service = {
          ExecStart = "${lib.getExe pkgs.yubikey-touch-detector} --libnotify -v";
          EnvironmentFile = "-%E/yubikey-touch-detector/service.conf";
        };
        Install = {
          Also = "yubikey-touch-detector.socket";
          WantedBy = [ "default.target" ];
        };
      };
    };
  };
}