From 03fa41729685e830e6b3f13ba70f5c6581501370 Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Fri, 3 Apr 2026 19:34:00 -0600
Subject: sys/hardware: yubico: move /var/trust/pam_u2f_keys to /etc since
 /var/trust may be locked by fscrypt

---
 sys/hardware/yubico.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'sys/hardware')

diff --git a/sys/hardware/yubico.nix b/sys/hardware/yubico.nix
index 1c77675..ba820e1 100644
--- a/sys/hardware/yubico.nix
+++ b/sys/hardware/yubico.nix
@@ -30,13 +30,17 @@ in {
       module: ${pkgs.yubico-piv-tool}/lib/libykcs11.so
     '';
 
+    local.boot.impermanence.files = [
+      "/etc/pam_u2f_keys"
+    ];
+
     security.pam = mkIf cfg.pamAuth {
       u2f = {
         enable = true;
         control = "sufficient";
 
         settings = {
-          authfile = "/var/trust/pam_u2f_keys";
+          authfile = "/etc/pam_u2f_keys";
           cue = true;
           pinverification = 1;
           userpresence = 0;
-- 
cgit v1.2.3