LUKS+LVM+TPM2 passwordless unlock: "Failed to mount /sysroot"

I’ve set up a fresh NixOS installation using LVM on top of LUKS, and am trying to get the system to unlock the root volume without a password prompt using my system’s TPM2 module. I’ve been using the instructions in the comment here. Unfortunately this seems to result in an unbootable system - see the errors in the attached screenshot.

The relevant parts of my nixos configuration are:

  boot.initrd.availableKernelModules = [ "vmd" "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.initrd.systemd.enable = true;
  boot.initrd.systemd.enableTpm2 = true;
  security.tpm2.enable = true;
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  boot.initrd.luks.devices.cryptlvm = {
    device = "/dev/disk/by-uuid/47d8a0a2-900d-45c0-ae63-026238a14601";
    preLVM = true; # luksOpen will be attempted before LVM scan
  fileSystems."/" =
    { device = "/dev/WD770VolGroup/root";
      #fsType = "ext4";
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/D840-BDB1";
      fsType = "vfat";

The TPM key does seem to be registered on the disk:

richard@osaka ~ % sudo systemd-cryptenroll /dev/disk/by-uuid/47d8a0a2-900d-45c0-ae63-026238a14601 
   0 password
   1 tpm2

If I disable boot.initrd.systemd the system boots again, but prompts for the password. I was wondering if someone more knowledgeable than me might know why my configuration isn’t working.

It looks like you commented out fsType = "ext4";. This cannot be commented out. The initrd only includes kernel modules for file systems that it knows it needs, which is determined by fsType.

As a sidenote, keep in mind that the TPM is something that must be used carefully. It can render disk encryption pointless if you don’t have the system configured right.

That does the trick. Amazing! And amazingly fast reply. Thank you.