i did this by setting boot.initrd.systemd.enable to true, adding tpm2-tss to environment.systemPackages, rebuilding, and then running systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/<my encrypted device>. in your case, the device should be /dev/vda2; and if you’re not using secureboot, you may want to change --tpm2-pcrs=0+7 to just --tpm2-pcrs=0
hope this helps 