{ username, pkgs, ... }: {
  security = {
    doas = {
      enable = true;
      wheelNeedsPassword = true;
    };
    sudo.enable = false;

    # polkit.enable = lib.mkForce false;
    polkit.enable = true;
  };


  n.misc.aliases.sudo = "doas";

  security.tpm2 = {
    enable = true;
    pkcs11.enable = true;
    pkcs11.package = pkgs.tpm2-pkcs11-fapi;
    tctiEnvironment.enable = true;
  };
  users.users.${username}.extraGroups = [ "tss" "admin" ];

  environment.systemPackages = with pkgs; [ tpm2-pkcs11-fapi clevis tpm2-tools ];
  environment.variables.TPM2_PKCS11_BACKEND = "fapi";
}