feat: enable yubikey hardware decryption

profiles/home/common/gpg-agent.nix

@@ -5,6 +5,8 @@ in
 {
   services.gpg-agent = {
     enable = true;
+    enableZshIntegration = true;
+    enableScDaemon = true;
     enableSshSupport = true;
     enableExtraSocket = true;
     pinentryPackage = pkgs.pinentry.gtk2;

profiles/nixos/optional/work.nix

@@ -17,8 +17,11 @@ in
   };
 
   boot.initrd = {
-    systemd.enable = true;
+    systemd.enable = lib.mkForce true; # make sure we are using initrd systemd even when not using Impermanence
     luks = {
+      # disable "support" since we use systemd-cryptenroll
+      # make sure yubikeys are enrolled using
+      # sudo systemd-cryptenroll --fido2-device=auto --fido2-with-user-verification=no --fido2-with-user-presence=true --fido2-with-client-pin=no /dev/nvme0n1p2
       yubikeySupport = false;
       fido2Support = false;
     };
@@ -101,7 +104,7 @@ in
     openssh = {
       enable = true;
       extraConfig = ''
-        '';
+                '';
     };
 
     syncthing = {