{
  config,
  lib,
  pkgs,
  ...
}:
let
  cfg = config.custom.programs.bitwarden;
in
{
  options.custom.programs.bitwarden.enable = lib.mkEnableOption "Bitwarden desktop applications";

  config = lib.mkIf cfg.enable {
    environment.systemPackages = with pkgs; [
      bitwarden
      bitwarden-cli
    ];

    programs.zsh.interactiveShellInit = "export SSH_AUTH_SOCK=/home/vili/.bitwarden-ssh-agent.sock";
    security = {
      pam = {
        rssh.enable = true;
        services = {
          sudo.rssh = true;
        };
      };
      sudo.execWheelOnly = true;
    };

    # We need SSH for the sudo, but generally don't want it open on machines with Bitwarden client
    services.openssh.openFirewall = false;
  };
}