What am I missing? I want yubikey to enter my boot drive passphrase (FIDO2/yubikey)

I installed NixOS via the ISO and chose to encrypt. On booting, I’m prompted to enter my passphrase and all works OK.

My goal here is to have the passphrase come from my yubikey (basically, a passwordless boot if the yubikey is present.) I thought I’d set up everything but it’s like it’s not even trying to read the yubikey. I’m still prompted for the passphrase.

The steps I’ve taken are from the FIDO2 part of the nixos manual (NixOS Manual)

  1. converted luks from version 1 to version 2 (via a live CD)
  2. switched to systemd-initrd
  3. ran:systemd-cryptenroll --fido2-device=auto /dev/nvme0n1p2 (it prompted me to enter the current passphrase and it seemed to go OK)

The ‘boot’ part of my config looks like this (and I have run nixos-rebuild boot)

  boot = {
    initrd = {
      kernelModules = [
        "vfat"
        "nls_cp437"
        "nls_iso8859-1"
        "usbhid"
      ];
      luks = {
        devices = {
          "luks-c371c2df-5496-4ff2-b484-7476bfab0453" = {
            crypttabExtraOpts = [ "fido2-device=auto" ];
            device = "/dev/disk/by-uuid/c371c2df-5496-4ff2-b484-7476bfab0453";
          };
        };
      };
      systemd = {
        enable = true;
      };
    };
    loader = {
      efi = {
        canTouchEfiVariables = true;
      };
      systemd-boot = {
        enable = true;
      };
    };
    supportedFilesystems = [
      "ntfs"
    ];
  };

Am I missing a config somewhere? Or maybe my expectations of this are wrong?
I’m pretty new to nix/yubikey so assume I know nothing (because Nix is like starting anew :slight_smile: )

Thanks for reading