···

       
52
       
52
       
 
       
    };

     

       
53
       
53
       
 
       
    services.scrutiny.collector.enable = false;

     

       
54
       
54
       
 
       
  };

     

       
55
       
55
       
+
       
  security.tpm2.enable = false;

     

       
56
       
56
       
+
       
  security.tpm2.abrmd.enable = false;

     

       
55
       
57
       
 
       
}

     

···

       
1
       
1
       
-
       
{ pkgs, ... }:

     

       
1
       
1
       
+
       
{ pkgs, lib, ... }:

     

       
2
       
2
       
+
       
let

     

       
3
       
3
       
+
       
  inherit (lib) mkDefault;

     

       
4
       
4
       
+
       
in

     

       
2
       
5
       
 
       
{

     

       
3
       
6
       
 
       
  # Everything should use doas instead of sudo

     

       
4
       
7
       
 
       
  # Sudo is kept enabled for tools that ~can't~ won't use doas.

     
···

       
12
       
15
       
 
       


     

       
13
       
16
       
 
       
    # TPM configuration

     

       
14
       
17
       
 
       
    tpm2 = {

     

       
15
       
15
       
-
       
      enable = true;

     

       
16
       
16
       
-
       
      abrmd.enable = true;

     

       
17
       
17
       
-
       
      applyUdevRules = true;

     

       
18
       
18
       
-
       
      pkcs11.enable = false;

     

       
18
       
18
       
+
       
      enable = mkDefault true;

     

       
19
       
19
       
+
       
      abrmd.enable = mkDefault true;

     

       
20
       
20
       
+
       
      applyUdevRules = mkDefault true;

     

       
21
       
21
       
+
       
      pkcs11.enable = mkDefault false;

     

       
19
       
22
       
 
       
    };

     

       
20
       
23
       
 
       


     

       
21
       
24
       
 
       
    # Set up extra certificates for DN42 specifically