{
  config,
  pkgs,
  lib,
  ...
}: {
  programs.gpg = {
    enable = true;
    homedir = "${config.xdg.dataHome}/gnupg";
    mutableKeys = true;
    mutableTrust = true;

    settings = {
      default-key = "Benedikt Peetz <benedikt.peetz@b-peetz.de>";
      # TODO: add more
    };

    publicKeys = [
      {
        source = ./keys/key_1.asc;
        trust = "ultimate";
      }
      {
        source = ./keys/key_2.asc;
        trust = "full";
      }
    ];
  };
  services = {
    gpg-agent = {
      enable = true;
      enableZshIntegration = true;
      enableScDaemon = true; # smartcards and such things

      # Cache the key passwords
      defaultCacheTtl = 60 * 50;
      defaultCacheTtlSsh = 60 * 50;
      maxCacheTtl = 60 * 50;
      maxCacheTtlSsh = 60 * 50;

      pinentryPackage = pkgs.pinentry-curses;
      # pinentryPackage = pkgs.pinentry-tty;

      enableSshSupport = true;
      sshKeys = let
        removeSpace = str: builtins.replaceStrings [" "] [""] str;
      in [
        (removeSpace "8321 ED3A 8DB9 99A5 1F3B  F80F F268 2914 EA42 DE26")
      ];
    };
  };

  programs.zsh.initExtraFirst = lib.mkBefore ''
    export GPG_TTY=$(tty)

    # Magic copied from the gpg-agent manual
    unset SSH_AGENT_PID
    if [ "''${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
        export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
    fi


    # Ensure that get gpg agent is started (necessary because ssh does not start it
    # automatically and has it's tty updated)
    gpg-connect-agent /bye
  '';
}