{ pkgs, lib, agenix, ... }: { age.identityPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ]; security = { sudo.enable = false; sudo-rs.enable = true; polkit.enable = true; tpm2 = { enable = true; pkcs11.enable = true; abrmd.enable = true; tctiEnvironment.enable = true; }; pam = { u2f = { enable = true; }; services = { login.u2fAuth = true; sudo.u2fAuth = true; }; }; krb5 = { enable = true; settings = { libdefaults = { default_realm = "AGDSN.DE"; dns_lookup_realm = false; dns_lookup_kdc = true; ticket_lifetime = "24h"; forwardable = "yes"; }; realms."AGDSN.DE" = { kdc = "idm.agdsn.network:88"; master_kdc = "idm.agdsn.network:88"; admin_server = "idm.agdsn.network:749"; default_domain = "agdsn.de"; }; domain_realm = { "agdsn.de" = "AGDSN.DE"; ".agdsn.de" = "AGDSN.DE"; "agdsn" = "AGDSN.DE"; ".agdsn" = "AGDSN.DE"; }; }; }; }; services = { fprintd.enable = true; # log in using fingerprint }; environment.systemPackages = with pkgs; [ agenix.packages.x86_64-linux.default tpm2-tools sbctl ]; # enable secure boot using lanzaboote boot = { # Lanzaboote currently replaces the systemd-boot module. # This setting is usually set to true in configuration.nix # generated at installation time. So we force it to false # for now. loader.systemd-boot.enable = lib.mkForce false; lanzaboote = { enable = true; pkiBundle = "/etc/secureboot"; configurationLimit = 10; }; loader.systemd-boot.editor = false; loader.efi.canTouchEfiVariables = true; }; }