tpm

modules/hardware/default.nix

@@ -7,5 +7,6 @@
     ./ssd.nix
     ./vfio.nix
     ./wooting.nix
+    ./tpm.nix
   ];
 }

modules/hardware/tpm.nix

@@ -0,0 +1,21 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let cfg = config.custom.hardware.tpm;
+in {
+  options.custom.hardware.tpm = { enable = mkEnableOption "Enables tpm"; };
+
+  config = mkIf cfg.enable {
+
+    security.tpm2 = {
+      enable = true;
+      # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
+      pkcs11.enable = true;
+      # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
+      tctiEnvironment.enable = true;
+    };
+
+    #tss group has access to TPM devices
+    users.users.${config.mainUser.name}.extraGroups = [ "tss" ];
+    environment.systemPackages = with pkgs; [ tpm2-tools ];
+  };
+}