{
  pkgs,
  host,
  ...
}:
let
  vars = import ../../hosts/${host}/variables.nix;
in
{
  # Udev rules for YubiKey
  services.udev.packages = [ pkgs.yubikey-personalization ];

  # Smartcard daemon (for CCID / GPG smartcard mode)
  services.pcscd.enable = true;

  # GPG agent with SSH support
  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
  };

  # Yubico PAM — challenge-response authentication
  security.pam.yubico = {
    enable = true;
    debug = false;
    mode = "challenge-response";
    id = vars.yubikeyIds;
  };

  # Lock all sessions when a YubiKey is unplugged
  services.udev.extraRules = ''
    ACTION=="remove",\
     ENV{ID_BUS}=="usb",\
     ENV{ID_MODEL_ID}=="0407",\
     ENV{ID_VENDOR_ID}=="1050",\
     ENV{ID_VENDOR}=="Yubico",\
     RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
  '';

  # Useful CLI tools for managing YubiKeys
  environment.systemPackages = with pkgs; [
    yubikey-personalization
    yubikey-manager
    yubico-pam
    pam_u2f
  ];
}