Add TPM2 support

nixos/base.nix

@@ -81,7 +81,7 @@
   users.users.chase = {
     isNormalUser = true;
     description = "Chase";
-    extraGroups = ["networkmanager" "wheel"];
+    extraGroups = ["networkmanager" "tss" "wheel"];
   };
 
   # Install git and enable cache
@@ -144,12 +144,14 @@
     flashrom
     gcc
     nixd
+    pam_u2f
     pciutils
     python3
     qemu
     rustup
     usbutils
     wget
+    yubikey-manager
   ];
 
   nix.nixPath = ["nixpkgs=${inputs.nixpkgs}"];
@@ -173,4 +175,33 @@
       KbdInteractiveAuthentication = false;
     };
   };
+
+  services.pcscd.enable = true;
+
+  services.udev.packages = [pkgs.yubikey-personalization];
+
+  services.yubikey-agent.enable = true;
+
+  security.pam = lib.optionalAttrs pkgs.stdenv.isLinux {
+    sshAgentAuth.enable = true;
+    u2f = {
+      enable = true;
+      settings = {
+        cue = false;
+        authFile = "~/.config/Yubico/u2f_keys";
+      };
+    };
+    services = {
+      login.u2fAuth = true;
+      sudo = {
+        u2fAuth = true;
+      };
+    };
+  };
+
+  security.tpm2 = {
+    enable = true;
+    pkcs11.enable = true;
+    tctiEnvironment.enable = true;
+  };
 }

nixos/desktop.nix

@@ -118,6 +118,7 @@
       winDecStyles = ["classic"];
     })
     firefoxpwa
+    yubioath-flutter
   ];
 
   services.fprintd.enable = true;