From e312a05de094ee7fe28626efa923630d0264bebf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leon=20Schwarz=C3=A4ugl?=
 <leon.schwarzaeugl@imba.oeaw.ac.at>
Date: Tue, 25 Mar 2025 02:38:23 +0100
Subject: [PATCH] feat: enable yubikey hardware decryption

---
 profiles/home/common/gpg-agent.nix | 2 ++
 profiles/nixos/optional/work.nix   | 7 +++++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/profiles/home/common/gpg-agent.nix b/profiles/home/common/gpg-agent.nix
index c6183d7..c70a572 100644
--- a/profiles/home/common/gpg-agent.nix
+++ b/profiles/home/common/gpg-agent.nix
@@ -5,6 +5,8 @@ in
 {
   services.gpg-agent = {
     enable = true;
+    enableZshIntegration = true;
+    enableScDaemon = true;
     enableSshSupport = true;
     enableExtraSocket = true;
     pinentryPackage = pkgs.pinentry.gtk2;
diff --git a/profiles/nixos/optional/work.nix b/profiles/nixos/optional/work.nix
index 78a39a6..c011092 100644
--- a/profiles/nixos/optional/work.nix
+++ b/profiles/nixos/optional/work.nix
@@ -17,8 +17,11 @@ in
   };
 
   boot.initrd = {
-    systemd.enable = true;
+    systemd.enable = lib.mkForce true; # make sure we are using initrd systemd even when not using Impermanence
     luks = {
+      # disable "support" since we use systemd-cryptenroll
+      # make sure yubikeys are enrolled using
+      # sudo systemd-cryptenroll --fido2-device=auto --fido2-with-user-verification=no --fido2-with-user-presence=true --fido2-with-client-pin=no /dev/nvme0n1p2
       yubikeySupport = false;
       fido2Support = false;
     };
@@ -101,7 +104,7 @@ in
     openssh = {
       enable = true;
       extraConfig = ''
-        '';
+                '';
     };
 
     syncthing = {