eligos: add gpgcard support for encrypted drives

Found this configuration options in a [reddit][0] post.  This works out
pretty well.

Remove the keyfiles since they are never available when the system is
unlocking.

[0]: https://www.reddit.com/r/NixOS/comments/fv3iza/yubikey_and_luks_on_multiple_machines/

Signed-off-by: Kenny Ballou <kballou@devnulllabs.io>

1 files changed, 16 insertions, 3 deletions

diff --git a/eligos/configuration.nix b/eligos/configuration.nix
index 7740b51..34f34bf 100644
--- a/eligos/configuration.nix
+++ b/eligos/configuration.nix
@@ -69,17 +69,30 @@
 
   boot.initrd.luks = {
     reusePassphrases = true;
+    gpgSupport = true;
     devices = {
-      cvg0.device = "/dev/disk/by-uuid/5cd9cc98-a22c-48f3-87ef-00a04f6d3500";
+      cvg0 = {
+        device = "/dev/disk/by-uuid/5cd9cc98-a22c-48f3-87ef-00a04f6d3500";
+        gpgCard = {
+          publicKey = ./public.asc;
+          encryptedPass = ./luks-passphrase-cvg0.asc;
+        };
+      };
       cvg1 = {
         device = "/dev/disk/by-uuid/93479577-1b78-4b2c-b7c3-a1f905d19e54";
-        keyFile = "/etc/cvg1";
         fallbackToPassword = true;
+        gpgCard = {
+          publicKey = ./public.asc;
+          encryptedPass = ./luks-passphrase-cvg1.asc;
+        };
       };
       cvg2 = {
         device = "/dev/disk/by-uuid/4520c49c-12da-47ba-a9d1-1f53cd586cdd";
-        keyFile = "/etc/cvg2";
         fallbackToPassword = true;
+        gpgCard = {
+          publicKey = ./public.asc;
+          encryptedPass = ./luks-passphrase-cvg2.asc;
+        };
       };
     };
   };