{
  lib,
  pkgs,
  config,
  ...
}:
let
  inherit (lib) mkIf mkOption mkEnableOption;
  inherit (lib.types) str;

  cfg = config.home.security;
in
{
  options.home.security = {
    enable = mkEnableOption "Security stuff.";
    gpg = {
      enable = mkEnableOption "GPG configurations.";
      homeDir = mkOption {
        type = str;
        default = "${config.home.homeDirectory}/.gpg";
        description = "GPG config directory.";
      };
    };
    ssh = {
      enable = mkEnableOption "SSH base configurations.";
      homeDir = mkOption {
        type = str;
        default = "${config.home.homeDirectory}/.ssh";
        description = "SSH config directory.";
      };
    };
  };

  config = mkIf cfg.enable {
    programs.gpg = mkIf cfg.gpg.enable {
      enable = true;
      package = pkgs.gnupg;
      mutableKeys = true;
      mutableTrust = true;
      homedir = cfg.gpg.homeDir;
      settings = {
        no-comments = true;
        throw-keyids = true;
        no-emit-version = true;
        keyid-format = "0xlong";
      };
    };
    services.gpg-agent = mkIf cfg.gpg.enable {
      enable = true;
      pinentry.package = pkgs.pinentry-qt;
    };

    programs.ssh = mkIf cfg.ssh.enable {
      enable = true;
      enableDefaultConfig = false;
      package = pkgs.openssh;
      matchBlocks = {
        "*" = {
          hashKnownHosts = true;
          userKnownHostsFile = "${cfg.ssh.homeDir}/known_hosts";

          forwardAgent = false;
          addKeysToAgent = "no";

          serverAliveInterval = 0;
          serverAliveCountMax = 3;

          controlMaster = "no";
          controlPath = "${cfg.ssh.homeDir}/master-%r@%n:%p";
          controlPersist = "no";
        };
      };
    };
  };
}