{
  lib,
  pkgs,
  config,
  ...
}:
let
  cfg = config.home.security;
in
{
  options = {
    home.security = {
      enable = lib.mkOption {
        type = lib.types.bool;
        default = false;
        description = "Security stuff.";
      };
      gpg = {
        enable = lib.mkOption {
          type = lib.types.bool;
          default = false;
          description = "GPG configurations.";
        };
        homeDir = lib.mkOption {
          type = lib.types.str;
          default = "${config.home.homeDirectory}/.gpg";
          description = "GPG config directory.";
        };
      };
      ssh = {
        enable = lib.mkOption {
          type = lib.types.bool;
          default = false;
          description = "SSH base configurations.";
        };
        homeDir = lib.mkOption {
          type = lib.types.str;
          default = "${config.home.homeDirectory}/.ssh";
          description = "SSH config directory.";
        };
      };
    };
  };

  config = lib.mkIf cfg.enable {
    programs.gpg = lib.mkIf cfg.gpg.enable {
      enable = true;
      package = pkgs.gnupg;
      mutableKeys = true;
      mutableTrust = true;
      homedir = cfg.gpg.homeDir;
      settings = {
        no-comments = true;
        throw-keyids = true;
        no-emit-version = true;
        keyid-format = "0xlong";
      };
    };
    services.gpg-agent = lib.mkIf cfg.gpg.enable {
      enable = true;
      pinentry.package = pkgs.pinentry-qt;
    };

    programs.ssh = lib.mkIf cfg.ssh.enable {
      enable = true;
      enableDefaultConfig = false;
      package = pkgs.openssh;
      matchBlocks = {
        "*" = {
          hashKnownHosts = true;
          userKnownHostsFile = "${cfg.ssh.homeDir}/known_hosts";

          forwardAgent = false;
          addKeysToAgent = "no";

          serverAliveInterval = 0;
          serverAliveCountMax = 3;

          controlMaster = "no";
          controlPath = "${cfg.ssh.homeDir}/master-%r@%n:%p";
          controlPersist = "no";
        };
      };
    };
  };
}