Initial commit

modules/global/security.nix

@@ -0,0 +1,26 @@
+{ username, pkgs, ... }: {
+  security = {
+    doas = {
+      enable = true;
+      wheelNeedsPassword = true;
+    };
+    sudo.enable = false;
+
+    # polkit.enable = lib.mkForce false;
+    polkit.enable = true;
+  };
+
+
+  n.misc.aliases.sudo = "doas";
+
+  security.tpm2 = {
+    enable = true;
+    pkcs11.enable = true;
+    pkcs11.package = pkgs.tpm2-pkcs11-fapi;
+    tctiEnvironment.enable = true;
+  };
+  users.users.${username}.extraGroups = [ "tss" "admin" ];
+
+  environment.systemPackages = with pkgs; [ tpm2-pkcs11-fapi clevis tpm2-tools ];
+  environment.variables.TPM2_PKCS11_BACKEND = "fapi";
+}