From e535a0894d5ded21664715b9363f93d6ac544164 Mon Sep 17 00:00:00 2001 From: Jack Mechem Date: Thu, 30 Apr 2026 20:27:50 -0700 Subject: [PATCH] Claude context --- .claude-context.md | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 .claude-context.md diff --git a/.claude-context.md b/.claude-context.md new file mode 100644 index 0000000..08c48fe --- /dev/null +++ b/.claude-context.md @@ -0,0 +1,44 @@ +# Claude Session Context + +## Current Status +- T480 is booted into an **old NixOS generation** due to a kernel panic after the last rebuild +- A rebuild is in progress (or needs to be re-run with `nixos-rebuild switch`) + +## Boot Panic Fix +- **Cause:** `linuxPackages_latest` pulled a bad kernel after nixpkgs was bumped in commit `b3eeccf` +- **Fix:** Already applied — `hosts/t480/configuration.nix` now uses `pkgs.linuxPackages_6_6` +- **Cache key** was also wrong and is now fixed in `configuration.nix` + +## Drive Encryption Plan +Goal: encrypt T480 root partition requiring **YubiKey + passphrase** (LUKS2 + FIDO2). + +- Drive is currently **not encrypted** +- Home directory has been **backed up to external drive** via rsync +- NixOS config is in git — no reinstall needed, doing **in-place encryption** + +### Steps +1. Flash Kali ISO to USB (`dd if=kali.iso of=/dev/sdX bs=4M status=progress oflag=sync`) +2. Boot Kali live USB +3. Encrypt root partition in-place: + ```bash + sudo cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/nvme0n1p2 + # verify partition name first with: lsblk + ``` +4. Enroll YubiKey as FIDO2 token: + ```bash + sudo systemd-cryptenroll --fido2-device=auto --fido2-with-client-pin=yes /dev/nvme0n1p2 + ``` +5. Chroot into NixOS and update config + bootloader +6. Add to `hosts/t480/configuration.nix`: + ```nix + boot.initrd.luks.devices."cryptroot" = { + device = "/dev/nvme0n1p2"; + crypttabExtraOpts = [ "fido2-device=auto" ]; + }; + ``` +7. Rebuild and reboot + +## YubiKey PAM Setup +- `modules/nixos/yubikey-pam.nix` configures PAM u2f with `control = "required"` +- Requires **both** YubiKey touch and password for sudo/login +- Auth file at `/etc/u2f-mappings` (already enrolled and correct)