encrypt ssh private keys with the tpm

2024-12-03 16:40:01 -05:00 · 2024-12-03 16:40:01 -05:00 · d5db083507
commit d5db083507
parent 0291524082
3 changed files with 16 additions and 0 deletions
--- a/flake.nix
+++ b/flake.nix
@ -69,6 +69,7 @@
            ./nixos/sudo.nix
            ./nixos/symlinks.nix
            ./nixos/tailscale.nix
+            ./nixos/tpm.nix

            {
              # enable bluetooth
@ -97,6 +98,7 @@
                users.${user} = {
                  imports = [
                    ./home-manager/plasma.nix
+                    ./home-manager/tpm.nix
                    ./home-manager/user.nix
                    ./home-manager/vscode.nix
                    {
--- a/home-manager/tpm.nix
+++ b/home-manager/tpm.nix
@ -0,0 +1,5 @@
+{
+  programs.ssh.extraConfig = ''
+    PKCS11Provider = /run/current-system/sw/lib/libtpm2_pkcs11.so
+  '';
+}
--- a/nixos/tpm.nix
+++ b/nixos/tpm.nix
@ -0,0 +1,9 @@
+{ user, ... }:
+{
+  security.tpm2 = {
+    enable = true;
+    pkcs11.enable = true;
+    tctiEnvironment.enable = true;
+  };
+  users.users.${user}.extraGroups = [ "tss" ];
+}