1  { inputs, config, pkgs, lib, self, ... }: let
 2  
 3    hardware = config.modules.security.hardware;
 4  
 5  in {
 6    options.modules.security.hardware = {
 7      tpm = {
 8        enable = lib.mkEnableOption "Enable usage of the trusted platform module";
 9      };
10    };
11  
12    config = {
13      environment = {
14        systemPackages = with pkgs; [
15          tpm2-totp
16          tpm2-tools
17          libfido2
18          sbctl
19        ];
20      };
21      hardware = {
22        nitrokey.enable = true;
23        onlykey.enable = true;
24        gpgSmartcards.enable = true;
25      };
26      security ={
27        tpm2 = {
28          enable = true;
29        };
30      };
31      boot = {
32        initrd = {
33          systemd = {
34            tpm2.enable = true;
35          };
36          # luks.fido2Support = true; # doesn't work in stage 1
37        };
38      };
39    };
40  }