{ user, home }:
{
  config,
  lib,
  pkgs,
  ...
}:
{
  home-manager.users.${user} = {
    # gpg --full-generate-key
    # gpg --list-secret-keys --keyid-format LONG
    # gpg --export-secret-keys -a $signature > priv.key
    # gpg --export -a $signature > pub.key
    programs.gpg = {
      enable = true;
      homedir = "${home}/.local/share/gnupg";
    };

    services.gpg-agent = {
      enable = true;
      defaultCacheTtl = 31536000;
      maxCacheTtl = 31536000;
      pinentry.package = pkgs.pinentry-tty;
    };

    systemd.user = {
      services.gpg-agent-import =
        let
          init = lib.meta.getExe (
            pkgs.writeShellApplication {
              name = "import-gpg-keys";
              runtimeInputs = with pkgs; [
                coreutils
                gnugrep
                gnupg
              ];
              runtimeEnv = {
                GNUPGHOME = "${home}/.local/share/gnupg";
                HOME = home;
              };
              text = builtins.readFile ./import-gpg-keys.sh;
            }
          );
        in
        {
          Unit = {
            Description = "Auto-import GPG keys";
            Requires = [
              "sops-nix.service"
              "gpg-agent.socket"
            ];
            After = [
              "sops-nix.service"
              "gpg-agent.socket"
            ];
          };

          Service = {
            Type = "oneshot";
            ExecStart = init;
          };

          Install.WantedBy = [ "default.target" ];
        };
    };
  };
}