From d5db083507d8e4186cd3e73efae6c86d750a265e Mon Sep 17 00:00:00 2001
From: cswimr <seaswimmerthefsh@gmail.com>
Date: Tue, 3 Dec 2024 16:40:01 -0500
Subject: [PATCH] encrypt ssh private keys with the tpm

---
 flake.nix            | 2 ++
 home-manager/tpm.nix | 5 +++++
 nixos/tpm.nix        | 9 +++++++++
 3 files changed, 16 insertions(+)
 create mode 100644 home-manager/tpm.nix
 create mode 100644 nixos/tpm.nix

diff --git a/flake.nix b/flake.nix
index da479d0..803e683 100644
--- a/flake.nix
+++ b/flake.nix
@@ -69,6 +69,7 @@
             ./nixos/sudo.nix
             ./nixos/symlinks.nix
             ./nixos/tailscale.nix
+            ./nixos/tpm.nix
 
             {
               # enable bluetooth
@@ -97,6 +98,7 @@
                 users.${user} = {
                   imports = [
                     ./home-manager/plasma.nix
+                    ./home-manager/tpm.nix
                     ./home-manager/user.nix
                     ./home-manager/vscode.nix
                     {
diff --git a/home-manager/tpm.nix b/home-manager/tpm.nix
new file mode 100644
index 0000000..2b0ecdf
--- /dev/null
+++ b/home-manager/tpm.nix
@@ -0,0 +1,5 @@
+{
+  programs.ssh.extraConfig = ''
+    PKCS11Provider = /run/current-system/sw/lib/libtpm2_pkcs11.so
+  '';
+}
diff --git a/nixos/tpm.nix b/nixos/tpm.nix
new file mode 100644
index 0000000..b367068
--- /dev/null
+++ b/nixos/tpm.nix
@@ -0,0 +1,9 @@
+{ user, ... }:
+{
+  security.tpm2 = {
+    enable = true;
+    pkcs11.enable = true;
+    tctiEnvironment.enable = true;
+  };
+  users.users.${user}.extraGroups = [ "tss" ];
+}