{ pkgs, lib, agenix, ... }:
{
  age.identityPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ];
  security = {
    sudo.enable = false;
    sudo-rs.enable = true;
    polkit.enable = true;
    tpm2 = {
      enable = true;
      pkcs11.enable = true;
      abrmd.enable = true;
      tctiEnvironment.enable = true;
    };
    pam = {
      u2f = {
        enable = true;
        settings = {
          cue = true;
        };
      };
    };
    krb5 = {
      enable = true;
      settings = {
        libdefaults = {
          default_realm = "AGDSN.DE";
          dns_lookup_realm = false;
          dns_lookup_kdc = true;
          ticket_lifetime = "24h";
          forwardable = "yes";
        };
        realms."AGDSN.DE" = {
          kdc = "idm.agdsn.network:88";
          master_kdc = "idm.agdsn.network:88";
          admin_server = "idm.agdsn.network:749";
          default_domain = "agdsn.de";
        };
        domain_realm = {
          "agdsn.de" = "AGDSN.DE";
          ".agdsn.de" = "AGDSN.DE";
          "agdsn" = "AGDSN.DE";
          ".agdsn" = "AGDSN.DE";
        };
      };
    };
  };
  # broken again
  services = {
    fprintd.enable = true; # log in using fingerprint
  };
  environment.systemPackages = with pkgs; [
    agenix.packages.x86_64-linux.default
    tpm2-tools
    sbctl
  ];
  # enable secure boot using lanzaboote
  boot = {
    # Lanzaboote currently replaces the systemd-boot module.
    # This setting is usually set to true in configuration.nix
    # generated at installation time. So we force it to false
    # for now.
    loader.systemd-boot.enable = lib.mkForce false;
    lanzaboote = {
      enable = true;
      pkiBundle = "/etc/secureboot";
      configurationLimit = 10;
    };
    loader.systemd-boot.editor = false;
    loader.efi.canTouchEfiVariables = true;
  };
}