From ff02e60527dca0b83352dd8136565374b003b210 Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Sun, 25 Jan 2026 11:33:58 -0800
Subject: unlock the disk using the host's TPM

---
 profiles/remote-unlock.nix |  2 --
 profiles/secureboot.nix    | 24 +++++++++++++++++++-----
 2 files changed, 19 insertions(+), 7 deletions(-)

(limited to 'profiles')

diff --git a/profiles/remote-unlock.nix b/profiles/remote-unlock.nix
index 0e2cb1b..d93bb3f 100644
--- a/profiles/remote-unlock.nix
+++ b/profiles/remote-unlock.nix
@@ -6,7 +6,6 @@
 
   boot.initrd.network = {
     enable = true;
-    postCommands = "echo 'cryptsetup-askpass' >> /root/.profile";
     flushBeforeStage2 = true;
     ssh = {
       enable = true;
@@ -15,7 +14,6 @@
         "/persist/secrets/ssh_host_ed25519_key"
       ];
       authorizedKeys = with adminUser.userinfo.sshPublicKeys; [
-        onepassword
         yubikey-personal-nano
         yubikey-personal-keychain
         yubikey-personal-backup
diff --git a/profiles/secureboot.nix b/profiles/secureboot.nix
index 53df8e3..48eb868 100644
--- a/profiles/secureboot.nix
+++ b/profiles/secureboot.nix
@@ -4,14 +4,28 @@
     "/var/lib/sbctl"
   ];
 
-  environment.systemPackages = [
-    pkgs.sbctl
+  environment.systemPackages = with pkgs; [
+    sbctl
+    tpm2-tools
   ];
 
-  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot = {
+    loader.systemd-boot.enable = lib.mkForce false;
+    initrd.systemd.enable = true;
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/var/lib/sbctl";
+    };
+  };
 
-  boot.lanzaboote = {
+  security.tpm2 = {
     enable = true;
-    pkiBundle = "/var/lib/sbctl";
+    pkcs11.enable = true;
+    tctiEnvironment.enable = true;
+  };
+
+  environment.shellAliases = {
+    # Requires a device argument (/dev//dev/nvme0n1p3)
+    cryptenroll = "systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+7+12 --wipe-slot=tpm2";
   };
 }
-- 
cgit v1.2.3