{
  pkgs,
  config,
  lib,
  ...
}: let
  cfg = config.jade.hwKey;
in
  with lib; {
    options.jade.hwKey = {
      pamAuth.enable = mkEnableOption "Enable PAM authentication with hardware keys";
    };
    config = {
      # nitrokey
      services.udev.packages = [pkgs.nitrokey-udev-rules];

      # smartcard daemon
      services.pcscd.enable = true;

      # authenticate using hw key
      security.pam = {
        services.jade.u2fAuth = cfg.pamAuth.enable;
        u2f = {
          enable = true;
          control = "sufficient";
          settings = {
            cue = true;
            authFile = "/home/jade/.ssh/u2f_keys";
          };
        };
      };

      programs.i3lock.u2fSupport = true;
    };
  }