From ff02e60527dca0b83352dd8136565374b003b210 Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Sun, 25 Jan 2026 11:33:58 -0800
Subject: unlock the disk using the host's TPM

---
 profiles/secureboot.nix | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

(limited to 'profiles/secureboot.nix')

diff --git a/profiles/secureboot.nix b/profiles/secureboot.nix
index 53df8e3..48eb868 100644
--- a/profiles/secureboot.nix
+++ b/profiles/secureboot.nix
@@ -4,14 +4,28 @@
     "/var/lib/sbctl"
   ];
 
-  environment.systemPackages = [
-    pkgs.sbctl
+  environment.systemPackages = with pkgs; [
+    sbctl
+    tpm2-tools
   ];
 
-  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot = {
+    loader.systemd-boot.enable = lib.mkForce false;
+    initrd.systemd.enable = true;
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/var/lib/sbctl";
+    };
+  };
 
-  boot.lanzaboote = {
+  security.tpm2 = {
     enable = true;
-    pkiBundle = "/var/lib/sbctl";
+    pkcs11.enable = true;
+    tctiEnvironment.enable = true;
+  };
+
+  environment.shellAliases = {
+    # Requires a device argument (/dev//dev/nvme0n1p3)
+    cryptenroll = "systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+7+12 --wipe-slot=tpm2";
   };
 }
-- 
cgit v1.2.3