{ pkgs, pkgs-unstable, ... }:
{
  # there also is a system module
  home.packages = with pkgs; [
    gnupg
    gpg-tui
  ] ++ ( with pkgs-unstable; [
    pinentry-all
  ]);

  # services.pcscd.enable = true;
  services.gpg-agent = {
    enable = true;
    verbose = true;
    sshKeys = [
      "97081264F7FD72D890D496E839AA9A4C7892A7D8" # Keygrip (not Fingerprint!) of [A] Subkey
    ];
    enableSshSupport = true;
    enableFishIntegration = true;
    # pinentryPackage = pkgs.pinentry-gtk2;
  };

  home.file.".gnupg/gpg.conf".text = ''
    # Use AES256, 192, or 128 as cipher
    personal-cipher-preferences AES256 AES192 AES
    # Use SHA512, 384, or 256 as digest
    personal-digest-preferences SHA512 SHA384 SHA256
    # Use ZLIB, BZIP2, ZIP, or no compression
    personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
    # Default preferences for new keys
    default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
    # SHA512 as digest to sign keys
    cert-digest-algo SHA512
    # SHA512 as digest for symmetric ops
    s2k-digest-algo SHA512
    # AES256 as cipher for symmetric ops
    s2k-cipher-algo AES256
    # UTF-8 support for compatibility
    charset utf-8
    # No comments in messages
    no-comments
    # No version in output
    no-emit-version
    # Disable banner
    no-greeting
    # Long key id format
    keyid-format 0xlong
    # Display UID validity
    list-options show-uid-validity
    verify-options show-uid-validity
    # Display all keys and their fingerprints
    with-fingerprint
    # Display key origins and updates
    #with-key-origin
    # Cross-certify subkeys are present and valid
    require-cross-certification
    # Disable caching of passphrase for symmetrical ops
    no-symkey-cache
    # Output ASCII instead of binary
    armor
    # Enable smartcard
    # use-agent
  '';
}