{ user, lib, pkgs, ... }:
{
  environment.variables = {
    TPM2_PKCS11_TCTI = lib.mkDefault "tabrmd:";
  };
  security.tpm2 = {
    enable = true;
    pkcs11.enable = true;
    tctiEnvironment.enable = true;
  };
  users.users.${user}.extraGroups = [ "tss" ];

  # secure boot configuration
  environment.systemPackages = with pkgs; [
    sbctl
  ];
}