From a7132f0326495277d59a200f41501ab9873c8c57 Mon Sep 17 00:00:00 2001
From: Kopatz <7265381+Kropatz@users.noreply.github.com>
Date: Wed, 22 May 2024 16:01:47 +0200
Subject: [PATCH] tpm

---
 flake.nix                    |  3 ++-
 modules/hardware/default.nix |  1 +
 modules/hardware/tpm.nix     | 21 +++++++++++++++++++++
 systems/pc/configuration.nix |  1 +
 4 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 modules/hardware/tpm.nix

diff --git a/flake.nix b/flake.nix
index 7872d56..c5f417d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -61,7 +61,8 @@
           specialArgs = specialArgs // { inherit inputs outputs; };
         };
     in {
-      packages.${system} = import ./pkgs { pkgs = nixpkgs-unstable.legacyPackages.${system}; };
+      packages.${system} =
+        import ./pkgs { pkgs = nixpkgs-unstable.legacyPackages.${system}; };
       overlays = import ./overlays.nix { inherit inputs; };
 
       nixosConfigurations = {
diff --git a/modules/hardware/default.nix b/modules/hardware/default.nix
index 85cee61..5b3d28c 100644
--- a/modules/hardware/default.nix
+++ b/modules/hardware/default.nix
@@ -7,5 +7,6 @@
     ./ssd.nix
     ./vfio.nix
     ./wooting.nix
+    ./tpm.nix
   ];
 }
diff --git a/modules/hardware/tpm.nix b/modules/hardware/tpm.nix
new file mode 100644
index 0000000..84ec350
--- /dev/null
+++ b/modules/hardware/tpm.nix
@@ -0,0 +1,21 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let cfg = config.custom.hardware.tpm;
+in {
+  options.custom.hardware.tpm = { enable = mkEnableOption "Enables tpm"; };
+
+  config = mkIf cfg.enable {
+
+    security.tpm2 = {
+      enable = true;
+      # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
+      pkcs11.enable = true;
+      # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
+      tctiEnvironment.enable = true;
+    };
+
+    #tss group has access to TPM devices
+    users.users.${config.mainUser.name}.extraGroups = [ "tss" ];
+    environment.systemPackages = with pkgs; [ tpm2-tools ];
+  };
+}
diff --git a/systems/pc/configuration.nix b/systems/pc/configuration.nix
index db529b8..8938f62 100644
--- a/systems/pc/configuration.nix
+++ b/systems/pc/configuration.nix
@@ -53,6 +53,7 @@
       firmware.enable = true;
       ssd.enable = true;
       wooting.enable = true;
+      tpm.enable = true;
     };
     graphical = {
       audio.enable = true;