I am trying to configure my system so that I can access LUKS-Encrypted root partition via a FIDO2 token as outlined in the NixOS manual. The problem is, the device I am currently using to store the private key (yubikey 5) requires a pin, and the nix module provides no way to request for one. Previously, when creating the FIDO2 credential, I was able to mitigate this by providing the -P flag to the fido2luks cli (it makes fido2luks request the pin). My question is, what would be the best way to get this to work (FIDO2 + LUKS + yubikey 5)? Should I fork the module to make this small change, or is there an easier way?
Btw, systemd-cryptenroll can add a fido2 derived key to a LUKS drive, and the new (experimental) systemd-based initrd will support it almost out of the box. You just need boot.initrd.systemd.enable = true;, a (very) recent nixos-unstable, and I thinkboot.initrd.luks.devices.FOO.crypttabExtraOpts = ["fido2-device=auto"];