diff --git a/yodaTab/nitrokey-ssh-gpg.nix b/yodaTab/nitrokey-ssh-gpg.nix
new file mode 100644
index 0000000..c9e5f48
--- /dev/null
+++ b/yodaTab/nitrokey-ssh-gpg.nix
@@ -0,0 +1,34 @@
+{ config, pkgs, ... }:
+
+{
+  # Enable SSH server.
+  services.openssh = {
+    enable = true;
+    # Forbid root login through SSH.
+    settings.PermitRootLogin = "no";
+    # Use authorized keys only.
+    settings.PasswordAuthentication = false;
+  };
+
+  # Use NitroKey USB smartcard with SSH.
+  # https://nixos.wiki/wiki/Nitrokey
+  #
+  # Restart gpg-agent after config change.
+  # Otherwise there might be a gpg error about "no pinentry".
+  # https://discourse.nixos.org/t/cant-get-gnupg-to-work-no-pinentry/15373/19
+  #
+  # Not sure if this is needed: Reload udev rules.
+  # sudo -- udevadm control --reload-rules && udevadm trigger
+  #
+  services.udev.packages = [ pkgs.nitrokey-udev-rules ];
+  programs = {
+    ssh.startAgent = false;
+    gnupg.agent = {
+      enable = true;
+      # ... Also sets SSH_AUTH_SOCK environment variable correctly.
+      enableSSHSupport = true;
+    };
+  };
+  # Smartcard daemon.
+  services.pcscd.enable = true;
+}