From b4907407fcbc2d650a000881cf7bc4546f929d12 Mon Sep 17 00:00:00 2001
From: dadada <dadada@dadada.li>
Date: Sun, 8 Oct 2023 12:14:51 +0200
Subject: [PATCH] Switch to systemd stage 1

---
 nixos/gorgon/configuration.nix | 31 ++++++++++--------
 nixos/modules/default.nix      |  1 -
 nixos/modules/fido2.nix        | 58 ----------------------------------
 nixos/modules/yubikey.nix      | 19 ++---------
 4 files changed, 20 insertions(+), 89 deletions(-)
 delete mode 100644 nixos/modules/fido2.nix

diff --git a/nixos/gorgon/configuration.nix b/nixos/gorgon/configuration.nix
index 64443e2..8cd368c 100644
--- a/nixos/gorgon/configuration.nix
+++ b/nixos/gorgon/configuration.nix
@@ -48,20 +48,29 @@ in
     keep-derivations = true
   '';
 
-  boot.kernelModules = [ "kvm-amd" ];
+  boot = {
+    kernelModules = [ "kvm-amd" ];
+    initrd = {
+      systemd.enable = true;
+      luks.devices = {
+        root = {
+          device = "/dev/disk/by-uuid/3d0e5b93-90ca-412a-b4e0-3e6bfa47d3f4";
+          preLVM = true;
+          allowDiscards = true;
+          crypttabExtraOpts = ["fido2-device=auto"];
+        };
+      };
+    };
+    kernel.sysctl = {
+      "vm.swappiness" = 90;
+    };
+  };
 
   networking.hostName = "gorgon";
 
   dadada = {
     steam.enable = true;
-    yubikey = {
-      enable = true;
-      #luksUuid = "3d0e5b93-90ca-412a-b4e0-3e6bfa47d3f4";
-      fido2Credentials = [
-        "0295c215865e4d988cf5148db9197ae58bc26b0838b35e2b35bafdb837e9f8b103309466d7cfa8c71d6c01d4908e2708"
-        "f8a4359e4a67d8a149a72ad5fb2db0fbc11e2480102e5a2e353297dce5e1ad53419acade31eb4a4bd803b808c29ba0b4"
-      ];
-    };
+    yubikey.enable = true;
 
     networking = {
       enableBsShare = true;
@@ -70,10 +79,6 @@ in
     sway.enable = false;
   };
 
-  boot.kernel.sysctl = {
-    "vm.swappiness" = 90;
-  };
-
   programs.adb.enable = true;
 
   programs.firefox = {
diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix
index 3448a55..e558aa2 100644
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@@ -4,7 +4,6 @@
   borgServer = import ./borg-server.nix;
   ddns = import ./ddns.nix;
   element = import ./element.nix;
-  fido2 = import ./fido2.nix;
   fileShare = import ./fileShare.nix;
   gitea = import ./gitea.nix;
   headphones = import ./headphones.nix;
diff --git a/nixos/modules/fido2.nix b/nixos/modules/fido2.nix
deleted file mode 100644
index 8405798..0000000
--- a/nixos/modules/fido2.nix
+++ /dev/null
@@ -1,58 +0,0 @@
-{ config
-, pkgs
-, lib
-, ...
-}:
-with lib; let
-  luks = config.dadada.luks;
-  fido2 = config.dadada.fido2;
-in
-{
-  options = {
-    dadada.luks = {
-      uuid = mkOption {
-        type = with types; nullOr str;
-        description = "Device UUID";
-        default = null;
-      };
-    };
-
-    dadada.fido2 = {
-      enablePam = mkEnableOption "Enable PAM U2F";
-      credential = mkOption {
-        type = with types; nullOr str;
-        description = "FIDO2 credential string";
-        default = null;
-      };
-    };
-  };
-
-  config = {
-    boot.initrd.luks.devices = mkIf (luks.uuid != null) {
-      root = {
-        device = "/dev/disk/by-uuid/${luks.uuid}";
-        preLVM = true;
-        allowDiscards = true;
-        fido2 = mkIf (fido2.credential != null) {
-          credential = fido2.credential;
-          passwordLess = true;
-        };
-      };
-    };
-
-    boot.initrd.luks.fido2Support = mkIf (fido2.credential != null) true;
-
-    environment.systemPackages = mkIf (fido2.credential != null) (with pkgs; [
-      linuxPackages.acpi_call
-      fido2luks
-      python27Packages.dbus-python
-      python38Packages.solo-python
-    ]);
-
-    security.pam.u2f = mkIf fido2.enablePam {
-      enable = true;
-      control = "sufficient";
-      cue = true;
-    };
-  };
-}
diff --git a/nixos/modules/yubikey.nix b/nixos/modules/yubikey.nix
index 9d1b117..3df9499 100644
--- a/nixos/modules/yubikey.nix
+++ b/nixos/modules/yubikey.nix
@@ -24,21 +24,6 @@ in
   };
 
   config = mkIf yubikey.enable {
-    boot.initrd.luks = {
-      fido2Support = true;
-      devices = mkIf (yubikey.luksUuid != null) {
-        root = {
-          device = "/dev/disk/by-uuid/${yubikey.luksUuid}";
-          preLVM = true;
-          allowDiscards = true;
-          fido2 = mkIf (yubikey.fido2Credentials != [ ]) {
-            credentials = yubikey.fido2Credentials;
-            passwordLess = true;
-          };
-        };
-      };
-    };
-
     security.pam = {
       # Keys must be placed in $XDG_CONFIG_HOME/Yubico/u2f_keys
       services = {
@@ -56,8 +41,8 @@ in
     services.udev.packages = [ pkgs.yubikey-personalization ];
 
     environment.systemPackages = with pkgs; [
-      fido2luks
-      linuxPackages.acpi_call
+      #fido2luks
+      #linuxPackages.acpi_call
       pam_u2f
       pamtester
       yubikey-manager