{ pkgs, config, ... }:
let
  # identities are stored outside of the store
  passage_identity_dir = "${config.xdg.configHome}/passage";
  passage_identities_file = "${passage_identity_dir}/identities";
  passage_dir = "${config.xdg.dataHome}/passage/store";
  passage_recipients_file = "${passage_dir}/.age-recipients";
  passage-yubikey-update = pkgs.writeShellApplication {
    name = "passage-yubikey-update";
    runtimeInputs = with pkgs; [
      age-plugin-yubikey
    ];
    text = ''
      if ! [[ -d "${passage_dir}" ]]; then
        echo >&2 "Error: ${passage_dir} must be created manually."
        exit 1
      fi

      identitiesFile="${passage_identities_file}"
      recipientsFile="${passage_recipients_file}"

      mkdir -p "$(dirname "$identitiesFile")"
      mkdir -p "$(dirname "$recipientsFile")"

      age-plugin-yubikey --identity >> "$identitiesFile"
      echo >&2 "Updated $identitiesFile"

      age-plugin-yubikey --list >> "$recipientsFile"
      echo >&2 "Updated $recipientsFile"
    '';
  };
in
{
  home.packages = with pkgs; [
    age
    age-plugin-yubikey
    passage
    passage-yubikey-update
  ];

  home.sessionVariables = {
    PASSAGE_DIR = "${passage_dir}";
    PASSAGE_RECIPIENTS_FILE = "${passage_dir}/.age-recipients";
    PASSAGE_IDENTITIES_FILE = "${passage_identities_file}";
  };
}