{ config, pkgs, ... }:
let
  polkitAgent = pkgs.lxqt.lxqt-policykit;
in
{
  #### Fingerprint stack #######################################################
  services.fprintd.enable = true;
  services.fprintd.tod.enable = true;
  # Change the driver if your sensor isn’t Goodix.
  services.fprintd.tod.driver = pkgs.libfprint-2-tod1-goodix;

  #### Polkit (needed for Bitwarden’s “system authentication” prompt) ###########
  security.polkit.enable = true;
  services.dbus.enable = true;

  systemd.user.services.polkit-agent = {
    description = "Polkit authentication agent";
    after = [ "graphical-session.target" ];
    wantedBy = [ "graphical-session.target" ];
    serviceConfig.ExecStart = "${polkitAgent}/bin/lxqt-policykit-agent";
    serviceConfig.Restart = "on-failure";
  };

  #### Autostart Bitwarden desktop in your user session ########################
  systemd.user.services.bitwarden = {
    description = "Bitwarden Desktop";
    after = [ "graphical-session.target" ];
    wantedBy = [ "graphical-session.target" ];
    serviceConfig.ExecStart = "${pkgs.bitwarden}/bin/bitwarden";
    serviceConfig.Restart = "on-abort";
  };

  #### Handy tools #############################################################
  environment.systemPackages = with pkgs; [
    goldwarden
    bitwarden
    bitwarden-cli
    fprintd
    lxqt.lxqt-policykit
  ];

  environment.shellAliases = {
    bw-epicenter = "BITWARDENCLI_APPDATA_DIR=~/.config/bitwarden-cli-epicenter ${pkgs.bitwarden-cli}/bin/bw";
    bw-cloonar = "BITWARDENCLI_APPDATA_DIR=~/.config/bitwarden-cli-cloonar ${pkgs.bitwarden-cli}/bin/bw";
  };

  environment.shellInit = ''
    mkdir -p ~/.config/bitwarden-cli-epicenter ~/.config/bitwarden-cli-cloonar
  '';

  # environment.systemPackages = with pkgs; [
  #   bitwarden
  #   bitwarden-cli
  #   (runCommand "bitwarden-polkit-policy" {} ''
  #     mkdir -p $out/share/polkit-1/actions
  #     cat > $out/share/polkit-1/actions/com.bitwarden.Bitwarden.policy <<'EOF'
  #     <?xml version="1.0" encoding="UTF-8"?>
  #     <!DOCTYPE policyconfig PUBLIC
  #     "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
  #     "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
  #     <policyconfig>
  #       <action id="com.bitwarden.Bitwarden.unlock">
  #         <description>Unlock Bitwarden</description>
  #         <message>Authenticate to unlock Bitwarden</message>
  #         <defaults>
  #           <allow_any>no</allow_any>
  #           <allow_inactive>no</allow_inactive>
  #           <allow_active>auth_self</allow_active>
  #         </defaults>
  #       </action>
  #     </policyconfig>
  #     EOF
  #   '')
  # ];

  # systemd.user.services.polkit-gnome-authentication-agent-1 = {
  #   description = "polkit-gnome-authentication-agent-1";
  #   wantedBy = [ "graphical-session.target" ];
  #   wants = [ "graphical-session.target" ];
  #   after = [ "graphical-session.target" ];
  #   serviceConfig = {
  #     Type = "simple";
  #     ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
  #     Restart = "on-failure";
  #     RestartSec = 1;
  #     TimeoutStopSec = 10;
  #   };
  # };
}