From 883e4585b2138d30a09f5a50ebfcb821027e126d Mon Sep 17 00:00:00 2001
From: Antoine Viallon <antoine@lesviallon.fr>
Date: Thu, 10 Aug 2023 16:22:28 +0200
Subject: [PATCH] [Security/TPM] init TPM config

---
 security/default.nix |  1 +
 security/tpm.nix     | 25 +++++++++++++++++++++++++
 2 files changed, 26 insertions(+)
 create mode 100644 security/tpm.nix

diff --git a/security/default.nix b/security/default.nix
index ce5606c..0f7843b 100644
--- a/security/default.nix
+++ b/security/default.nix
@@ -2,6 +2,7 @@
 {
   imports = [
     ./hardening.nix
+    ./tpm.nix
     ./encryption.nix
   ];
 }
diff --git a/security/tpm.nix b/security/tpm.nix
new file mode 100644
index 0000000..5cabf34
--- /dev/null
+++ b/security/tpm.nix
@@ -0,0 +1,25 @@
+{config, pkgs, lib, ...}:
+with lib;
+let
+  cfg = config.aviallon.security.tpm;
+in {
+  options.aviallon.security.tpm = {
+    enable = (mkEnableOption "TPM") // { default = true; };
+    tpm1_2.enable = mkEnableOption "TPM 1.2 support";
+  };
+  config = mkIf cfg.enable {
+    security.tpm2 = {
+      enable = true;
+      tctiEnvironment.enable = true;
+      pkcs11.enable = true;
+    };    
+
+    environment.systemPackages = [
+      pkgs.tpm2-tools
+    ] ++ optional cfg.tpm1_2.enable pkgs.tpm-tools;
+
+    services.tcsd = mkIf cfg.tpm1_2.enable {
+      enable = true;
+    };
+  };
+}