{ pkgs, lib, ... }:
let
  inherit (lib) mkDefault;
in
{
  # Everything should use doas instead of sudo
  # Sudo is kept enabled for tools that ~can't~ won't use doas.
  security = {
    doas = {
      enable = true;
      wheelNeedsPassword = false;
    };
    # Needed for nixos-rebuild to work properly
    sudo.enable = true;

    # TPM configuration
    tpm2 = {
      enable = mkDefault true;
      abrmd.enable = mkDefault true;
      applyUdevRules = mkDefault true;
      pkcs11.enable = mkDefault false;
    };

    # Set up extra certificates for DN42 specifically
    pki.certificateFiles = [
      (pkgs.fetchurl {
        url = "https://dn42.burble.com/burble-dn42-ca.pem";
        name = "burble-dn42-ca.pem";
        sha256 = "0wcrjkiav018bpl87583g0v60clx3jg3wfyf8d9h8zdkwcb16b2g";
      })
      (pkgs.fetchurl {
        url = "https://aur.archlinux.org/cgit/aur.git/plain/dn42.crt?h=ca-certificates-dn42&id=646f7effb290adf25c7e9fea3b41bf055522ba29";
        name = "dn42.crt";
        sha256 = "sha256-wsMeC9/tlppSNZGrqfZFLAjv3AMj1KwIAWeh2XBpiYs=";
      })
    ];
  };
}