Claude context

.claude-context.md

@@ -0,0 +1,44 @@
+# Claude Session Context
+
+## Current Status
+- T480 is booted into an **old NixOS generation** due to a kernel panic after the last rebuild
+- A rebuild is in progress (or needs to be re-run with `nixos-rebuild switch`)
+
+## Boot Panic Fix
+- **Cause:** `linuxPackages_latest` pulled a bad kernel after nixpkgs was bumped in commit `b3eeccf`
+- **Fix:** Already applied — `hosts/t480/configuration.nix` now uses `pkgs.linuxPackages_6_6`
+- **Cache key** was also wrong and is now fixed in `configuration.nix`
+
+## Drive Encryption Plan
+Goal: encrypt T480 root partition requiring **YubiKey + passphrase** (LUKS2 + FIDO2).
+
+- Drive is currently **not encrypted**
+- Home directory has been **backed up to external drive** via rsync
+- NixOS config is in git — no reinstall needed, doing **in-place encryption**
+
+### Steps
+1. Flash Kali ISO to USB (`dd if=kali.iso of=/dev/sdX bs=4M status=progress oflag=sync`)
+2. Boot Kali live USB
+3. Encrypt root partition in-place:
+   ```bash
+   sudo cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/nvme0n1p2
+   # verify partition name first with: lsblk
+   ```
+4. Enroll YubiKey as FIDO2 token:
+   ```bash
+   sudo systemd-cryptenroll --fido2-device=auto --fido2-with-client-pin=yes /dev/nvme0n1p2
+   ```
+5. Chroot into NixOS and update config + bootloader
+6. Add to `hosts/t480/configuration.nix`:
+   ```nix
+   boot.initrd.luks.devices."cryptroot" = {
+     device = "/dev/nvme0n1p2";
+     crypttabExtraOpts = [ "fido2-device=auto" ];
+   };
+   ```
+7. Rebuild and reboot
+
+## YubiKey PAM Setup
+- `modules/nixos/yubikey-pam.nix` configures PAM u2f with `control = "required"`
+- Requires **both** YubiKey touch and password for sudo/login
+- Auth file at `/etc/u2f-mappings` (already enrolled and correct)