{
  user ? throw "user argument is required",
}:
{
  config,
  lib,
  pkgs,
  ...
}:
let
  hmConfig = config.home-manager.users.${user.name};
  gpgPath = "${hmConfig.xdg.dataHome}/gnupg";
in
{
  home-manager.users.${user.name} = {
    programs.gpg = {
      enable = true;
      homedir = gpgPath;
    };

    services.gpg-agent = {
      enable = true;
      defaultCacheTtl = 31536000;
      maxCacheTtl = 31536000;
    };

    systemd.user = {
      services.gpg-agent-import =
        let
          init = lib.meta.getExe (
            pkgs.writeShellApplication {
              name = "import-gpg-keys";
              runtimeInputs = with pkgs; [
                coreutils
                gnugrep
                gnupg
              ];
              runtimeEnv = {
                GNUPGHOME = gpgPath;
                HOME = user.home;
              };
              text = builtins.readFile ./import-gpg-keys.sh;
            }
          );
        in
        {
          Unit = {
            Description = "Auto-import GPG keys";
            Requires = [
              "sops-nix.service"
              "gpg-agent.socket"
            ];
            After = [
              "sops-nix.service"
              "gpg-agent.socket"
            ];
          };

          Service = {
            Type = "oneshot";
            ExecStart = init;
          };

          Install.WantedBy = [ "default.target" ];
        };

      tmpfiles.rules = [ "d ${gpgPath} 0700 ${user.name} users -" ];
    };

    sops.secrets = {
      "gpg-agent/pgp.key" = { };
      "gpg-agent/pgp.pass" = { };
    };
  };
}