1.7 KiB
1.7 KiB
Claude Session Context
Current Status
- T480 is booted into an old NixOS generation due to a kernel panic after the last rebuild
- A rebuild is in progress (or needs to be re-run with
nixos-rebuild switch)
Boot Panic Fix
- Cause:
linuxPackages_latestpulled a bad kernel after nixpkgs was bumped in commitb3eeccf - Fix: Already applied —
hosts/t480/configuration.nixnow usespkgs.linuxPackages_6_6 - Cache key was also wrong and is now fixed in
configuration.nix
Drive Encryption Plan
Goal: encrypt T480 root partition requiring YubiKey + passphrase (LUKS2 + FIDO2).
- Drive is currently not encrypted
- Home directory has been backed up to external drive via rsync
- NixOS config is in git — no reinstall needed, doing in-place encryption
Steps
- Flash Kali ISO to USB (
dd if=kali.iso of=/dev/sdX bs=4M status=progress oflag=sync) - Boot Kali live USB
- Encrypt root partition in-place:
sudo cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/nvme0n1p2 # verify partition name first with: lsblk - Enroll YubiKey as FIDO2 token:
sudo systemd-cryptenroll --fido2-device=auto --fido2-with-client-pin=yes /dev/nvme0n1p2 - Chroot into NixOS and update config + bootloader
- Add to
hosts/t480/configuration.nix:boot.initrd.luks.devices."cryptroot" = { device = "/dev/nvme0n1p2"; crypttabExtraOpts = [ "fido2-device=auto" ]; }; - Rebuild and reboot
YubiKey PAM Setup
modules/nixos/yubikey-pam.nixconfigures PAM u2f withcontrol = "required"- Requires both YubiKey touch and password for sudo/login
- Auth file at
/etc/u2f-mappings(already enrolled and correct)