From 1e517b499ccf32684190d9fd8f5c601523e3a636 Mon Sep 17 00:00:00 2001
From: kB01 <kb01@kb-one.de>
Date: Wed, 29 Oct 2025 14:59:02 +0100
Subject: [PATCH] Configured HW Key

---
 systems/i686-linux/Rubtrm/default.nix  |  8 +++++++-
 systems/i686-linux/Rubtrm/hardware.nix | 26 ++++++++++++--------------
 2 files changed, 19 insertions(+), 15 deletions(-)

diff --git a/systems/i686-linux/Rubtrm/default.nix b/systems/i686-linux/Rubtrm/default.nix
index 2aa3497..fa78ede 100644
--- a/systems/i686-linux/Rubtrm/default.nix
+++ b/systems/i686-linux/Rubtrm/default.nix
@@ -60,9 +60,15 @@
     variant = "";
   };
 
+  # Security
+  security.rtkit.enable = true;
+  security.pam.services = {
+    login.u2fAuth = true;
+    sudo.u2fAuth = true;
+  };
+
   # Enable sound with pipewire.
   services.pulseaudio.enable = false;
-  security.rtkit.enable = true;
   services.pipewire = {
     enable = true;
     alsa.enable = true;
diff --git a/systems/i686-linux/Rubtrm/hardware.nix b/systems/i686-linux/Rubtrm/hardware.nix
index 31c278b..62731cf 100644
--- a/systems/i686-linux/Rubtrm/hardware.nix
+++ b/systems/i686-linux/Rubtrm/hardware.nix
@@ -1,29 +1,27 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 
 {
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
 
   boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "usbhid" "usb_storage" "ums_realtek" "sd_mod" ];
   boot.initrd.kernelModules = [ "dm-snapshot" "cryptd" ];
   boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-label/NIXOS_LUKS";
+  boot.initrd.luks.devices."cryptroot".crypttabExtraOpts = [ "fido2-device=auto" ];
   boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];
   boot.kernelParams = [ "i915.force_probe=27ae" ];
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-label/NIXOS_ROOT";
-      fsType = "ext4";
-    };
+  fileSystems."/" = { 
+    device = "/dev/disk/by-label/NIXOS_ROOT";
+    fsType = "ext4";
+  };
 
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-label/NIXOS_BOOT";
-      fsType = "vfat";
-    };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/NIXOS_BOOT";
+    fsType = "vfat";
+  };
 
   swapDevices = [ 
     {