Enable fido2 luks on orion/rift.

2026-03-26 08:56:02 -07:00
parent 7be8a4c5e6
commit 0d1fe5536f
2 changed files with 13 additions and 1 deletions
--- a/hw/orion/hardware-configuration.nix
+++ b/hw/orion/hardware-configuration.nix
@@ -19,7 +19,13 @@
      fsType = "ext4";
    };

-  boot.initrd.luks.devices."luks-5c5e94fc-f710-4578-a5f6-3a244efe5d3b".device = "/dev/disk/by-uuid/5c5e94fc-f710-4578-a5f6-3a244efe5d3b";
+  boot.initrd.luks.devices."luks-5c5e94fc-f710-4578-a5f6-3a244efe5d3b" = {
+    device = "/dev/disk/by-uuid/5c5e94fc-f710-4578-a5f6-3a244efe5d3b";
+    crypttabExtraOpts = [
+      "fido2-device=auto"
+      "token-timeout=10"
+    ];
+  };

  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/B165-2F51";
--- a/hw/rift/default.nix
+++ b/hw/rift/default.nix
@@ -8,6 +8,12 @@
  ];

  config = {
+    # FIDO2 LUKS unlock (matches vade setup)
+    boot.initrd.luks.devices."crypted".crypttabExtraOpts = [
+      "fido2-device=auto"
+      "token-timeout=10"
+    ];
+
    # Allow rootless containers (Podman) to bind port 53 for CoreDNS (MCNS precursor).
    boot.kernel.sysctl."net.ipv4.ip_unprivileged_port_start" = 53;