Group shared system settings

system/shared/hardware/tpm.nix

@@ -0,0 +1,26 @@
+{ config, lib, pkgs, ... }: let
+  inherit (lib) mkIf mkDefault;
+
+  enabled = config.myOptions.device.hasTPM;
+in {
+  config = mkIf enabled {
+    security.tpm2 = {
+      # enable Trusted Platform Module 2 support
+      enable = true;
+
+      # enable Trusted Platform 2 userspace resource manager daemon
+      abrmd.enable = mkDefault false;
+
+      # The TCTI is the "Transmission Interface" that is used to communicate with a
+      # TPM. this option sets TCTI environment variables to the specified values if enabled
+      #  - TPM2TOOLS_TCTI
+      #  - TPM2_PKCS11_TCTI
+      tctiEnvironment.enable = mkDefault true;
+
+      # enable TPM2 PKCS#11 tool and shared library in system path
+      pkcs11.enable = mkDefault false;
+    };
+
+    environment.systemPackages = with pkgs; [ tpm2-tss tpm2-tools ];
+  };
+}