vade: prefer FIDO2 over passphrase for LUKS unlock

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 23:56:40 -07:00
parent 6db72017e0
commit d1aee2f30e
1 changed files with 7 additions and 1 deletions
--- a/hw/vade/hardware-configuration.nix
+++ b/hw/vade/hardware-configuration.nix
@@ -18,7 +18,13 @@
      fsType = "ext4";
    };

-  boot.initrd.luks.devices."luks-e51c3431-ac26-4429-88a6-cebba8878935".device = "/dev/disk/by-uuid/e51c3431-ac26-4429-88a6-cebba8878935";
+  boot.initrd.luks.devices."luks-e51c3431-ac26-4429-88a6-cebba8878935" = {
+    device = "/dev/disk/by-uuid/e51c3431-ac26-4429-88a6-cebba8878935";
+    crypttabExtraOpts = [
+      "fido2-device=auto"
+      "token-timeout=10"
+    ];
+  };

  # Use systemd in initrd for FIDO2 LUKS unlock support
  boot.initrd.systemd.enable = true;