From 0d1fe5536f6d8d959e9bbd2bbd7bc6c1783ca344 Mon Sep 17 00:00:00 2001
From: Kyle Isom <kyle@imap.cc>
Date: Thu, 26 Mar 2026 08:56:02 -0700
Subject: [PATCH] Enable fido2 luks on orion/rift.

---
 hw/orion/hardware-configuration.nix | 8 +++++++-
 hw/rift/default.nix                 | 6 ++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/hw/orion/hardware-configuration.nix b/hw/orion/hardware-configuration.nix
index 526c737..542a983 100644
--- a/hw/orion/hardware-configuration.nix
+++ b/hw/orion/hardware-configuration.nix
@@ -19,7 +19,13 @@
       fsType = "ext4";
     };
 
-  boot.initrd.luks.devices."luks-5c5e94fc-f710-4578-a5f6-3a244efe5d3b".device = "/dev/disk/by-uuid/5c5e94fc-f710-4578-a5f6-3a244efe5d3b";
+  boot.initrd.luks.devices."luks-5c5e94fc-f710-4578-a5f6-3a244efe5d3b" = {
+    device = "/dev/disk/by-uuid/5c5e94fc-f710-4578-a5f6-3a244efe5d3b";
+    crypttabExtraOpts = [
+      "fido2-device=auto"
+      "token-timeout=10"
+    ];
+  };
 
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/B165-2F51";
diff --git a/hw/rift/default.nix b/hw/rift/default.nix
index a0ef133..d310d93 100644
--- a/hw/rift/default.nix
+++ b/hw/rift/default.nix
@@ -8,6 +8,12 @@
   ];
 
   config = {
+    # FIDO2 LUKS unlock (matches vade setup)
+    boot.initrd.luks.devices."crypted".crypttabExtraOpts = [
+      "fido2-device=auto"
+      "token-timeout=10"
+    ];
+
     # Allow rootless containers (Podman) to bind port 53 for CoreDNS (MCNS precursor).
     boot.kernel.sysctl."net.ipv4.ip_unprivileged_port_start" = 53;