{ config, lib, pkgs, ... }:
with lib; let
  cfg = config.local.boot.tpm;
in
{
  options.local.boot.tpm = {
    enable = mkEnableOption "Trusted Platform Module 2.0";
  };

  config = mkIf cfg.enable {
    assertions = [
      {
        assertion = config.local.boot.efi.enable;
        message = "TPM2 requires EFI";
      }
    ];

    security.tpm2 = {
      enable = true;

      pkcs11.enable = true;
      tctiEnvironment.enable = true;
    };

    environment.systemPackages = [ pkgs.tpm2-tools ];
  };
}