{ pkgs
, lib
, config
, ...}: with lib; {
  # git signing configuration
  programs.git = {
    signing = {
      signByDefault = true;
      gpgPath = "${pkgs.openssh}/bin/ssh-keygen";
      key = null;
    };

    extraConfig = {
      user.signingkey = "~/.ssh/id_ed25519.pub";
      gpg = {
        format = "ssh";
        # compiled from trusted keys in auth module
        ssh.allowedSignersFile = toString (pkgs.writeText
        "allowed_signers" (foldr (key: folded:
        folded + "koishi@514fpv.one ${key}") ""
        config.passthrough.publicKeys));
      };
    };
  };
}