1{
 2  lib,
 3  hardwareType,
 4  pkgs,
 5  system,
 6  ...
 7}:
 8let
 9  # Systems without TPM hardware
10  # - rpi4: Raspberry Pi 4
11  # - Most aarch64 SBCs (Radxa CM3588, etc.) don't have TPM chips
12  # For aarch64, only enable TPM if explicitly set via hardwareType
13  hasNoTPM = hardwareType == "rpi4" || (system == "aarch64-linux" && hardwareType == "");
14in
15{
16  environment.systemPackages =
17    if hasNoTPM then
18      [ ]
19    else
20      with pkgs;
21      [
22        tpm2-tss
23      ];
24  security = lib.mkIf (!hasNoTPM) {
25    tpm2 = {
26      enable = true;
27      pkcs11.enable = true;
28      abrmd.enable = true;
29    };
30  };
31}