# Claude Session Context

## Current Status
- T480 is booted into an **old NixOS generation** due to a kernel panic after the last rebuild
- A rebuild is in progress (or needs to be re-run with `nixos-rebuild switch`)

## Boot Panic Fix
- **Cause:** `linuxPackages_latest` pulled a bad kernel after nixpkgs was bumped in commit `b3eeccf`
- **Fix:** Already applied — `hosts/t480/configuration.nix` now uses `pkgs.linuxPackages_6_6`
- **Cache key** was also wrong and is now fixed in `configuration.nix`

## Drive Encryption Plan
Goal: encrypt T480 root partition requiring **YubiKey + passphrase** (LUKS2 + FIDO2).

- Drive is currently **not encrypted**
- Home directory has been **backed up to external drive** via rsync
- NixOS config is in git — no reinstall needed, doing **in-place encryption**

### Steps
1. Flash Kali ISO to USB (`dd if=kali.iso of=/dev/sdX bs=4M status=progress oflag=sync`)
2. Boot Kali live USB
3. Encrypt root partition in-place:
   ```bash
   sudo cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/nvme0n1p2
   # verify partition name first with: lsblk
   ```
4. Enroll YubiKey as FIDO2 token:
   ```bash
   sudo systemd-cryptenroll --fido2-device=auto --fido2-with-client-pin=yes /dev/nvme0n1p2
   ```
5. Chroot into NixOS and update config + bootloader
6. Add to `hosts/t480/configuration.nix`:
   ```nix
   boot.initrd.luks.devices."cryptroot" = {
     device = "/dev/nvme0n1p2";
     crypttabExtraOpts = [ "fido2-device=auto" ];
   };
   ```
7. Rebuild and reboot

## YubiKey PAM Setup
- `modules/nixos/yubikey-pam.nix` configures PAM u2f with `control = "required"`
- Requires **both** YubiKey touch and password for sudo/login
- Auth file at `/etc/u2f-mappings` (already enrolled and correct)