{ user ? throw "user argument is required" }: { config, lib, pkgs, ... }:

let
  hmConfig = config.home-manager.users."${user.name}";
  gpgPath = "${hmConfig.xdg.dataHome}/gnupg";
in
{
  home-manager.users."${user.name}" = {
    programs.gpg = {
      enable = true;
      homedir = gpgPath;
    };

    services.gpg-agent = {
      enable = true;
      defaultCacheTtl = 31536000;
      maxCacheTtl = 31536000;
    };

    systemd.user = {
      services.gpg-agent-import =
        let
          name = "import-gpg-keys";
          init = pkgs.writeShellApplication {
            inherit name;
            runtimeInputs = with pkgs; [
              coreutils-full
              gnugrep
              gnupg
            ];
            runtimeEnv = {
              GNUPGHOME = gpgPath;
              HOME = user.home;
            };
            text = builtins.readFile ./import-gpg-keys.sh;
          };
        in
        {
          Unit = {
            Description = "Auto-import GPG keys";
            Requires = [ "sops-nix.service" "gpg-agent.socket" ];
            After = [ "sops-nix.service" "gpg-agent.socket" ];
          };

          Service = {
            Type = "oneshot";
            ExecStart = "${init}/bin/${name}";
          };

          Install.WantedBy = [ "default.target" ];
        };

      tmpfiles.rules = [ "d ${hmConfig.xdg.dataHome}/gnupg 0700 ${user.name} users -" ];
    };

    sops.secrets = {
      "gpg-agent/pgp.key" = { };
      "gpg-agent/pgp.pass" = { };
    };
  };
}