diff --git a/modules/programs/gnupg.nix b/modules/programs/gnupg.nix
index 6a34e30..718bf05 100644
--- a/modules/programs/gnupg.nix
+++ b/modules/programs/gnupg.nix
@@ -1,8 +1,19 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 let
+  inherit (lib)
+    getExe'
+    mkIf
+    mkOption
+    mkPackageOption
+    optionalString
+    types
+    ;
 
   cfg = config.programs.gnupg;
 
@@ -10,6 +21,8 @@ in
 
 {
   options.programs.gnupg = {
+    package = mkPackageOption pkgs "gnupg" { };
+
     agent.enable = mkOption {
       type = types.bool;
       default = false;
@@ -29,9 +42,12 @@ in
   };
 
   config = mkIf cfg.agent.enable {
+    environment.systemPackages = [ cfg.package ];
+
     launchd.user.agents.gnupg-agent.serviceConfig = {
       ProgramArguments = [
-        "${pkgs.gnupg}/bin/gpg-connect-agent" "/bye"
+        (getExe' cfg.package "gpg-connect-agent")
+        "/bye"
       ];
       RunAtLoad = cfg.agent.enableSSHSupport;
       KeepAlive.SuccessfulExit = false;
@@ -40,12 +56,13 @@ in
     environment.extraInit = ''
       # Bind gpg-agent to this TTY if gpg commands are used.
       export GPG_TTY=$(tty)
-    '' + (optionalString cfg.agent.enableSSHSupport ''
+    ''
+    + (optionalString cfg.agent.enableSSHSupport ''
       # SSH agent protocol doesn't support changing TTYs, so bind the agent
       # to every new TTY.
-      ${pkgs.gnupg}/bin/gpg-connect-agent --quiet updatestartuptty /bye > /dev/null 2>&1
+      ${getExe' cfg.package "gpg-connect-agent"} --quiet updatestartuptty /bye > /dev/null 2>&1
 
-      export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket)
+      export SSH_AUTH_SOCK=$(${getExe' cfg.package "gpgconf"} --list-dirs agent-ssh-socket)
     '');
   };
 }