antifuchs
commented
7 months ago The test failure is fixed with https://github.com/NixOS/nixpkgs/pull/299395, now we just have to wait for it to hit nixos-unstable (:
- [x] Before merging, ensure systemd debug logging is turned back off
- [x] Once the PR lands in nixos-unstable, switch the flake ref back & commit the lock file
This allows us to run under systemd, which lets us set credentials encrypted with a TPM2!
That means the entire key management bit is solved, and we have a way to boot a stateless initrd whose trust is 100% rooted in a machine identity.