From 77cdf773c0af1726693964fd16e033eec9499044 Mon Sep 17 00:00:00 2001
From: Tim Schubert <dadada@dadada.li>
Date: Sat, 26 Jul 2025 13:43:39 +0200
Subject: [PATCH] feat(stolas): enable TPM2 LUKS keyslot

---
 nixos/stolas/default.nix | 2 ++
 nixos/stolas/disks.nix   | 6 ++++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix
index e1f115b..3c72921 100644
--- a/nixos/stolas/default.nix
+++ b/nixos/stolas/default.nix
@@ -32,6 +32,8 @@
         "usb_storage"
         "sd_mod"
       ];
+      # Ensure that TPM module is loaded
+      kernelModules = [ "tpm" ];
     };
   };
 
diff --git a/nixos/stolas/disks.nix b/nixos/stolas/disks.nix
index 5d48d17..01cf635 100644
--- a/nixos/stolas/disks.nix
+++ b/nixos/stolas/disks.nix
@@ -30,10 +30,12 @@
               content = {
                 type = "luks";
                 name = "crypted";
-                #passwordFile = "/tmp/secret.key"; # Interactive
                 settings = {
                   allowDiscards = true;
-                  #keyFile = "/tmp/secret.key";
+                  crypttabExtraOpts = [
+                    "tpm2-device=auto"
+                    "tpm2-pin=true"
+                  ];
                 };
                 #additionalKeyFiles = [ "/tmp/additionalSecret.key" ];
                 content = {