My linux config and rc files https://git.sommerfeld.dev/dotfiles/atom/etc/kernel/cmdline?h=master 2026-05-13T12:43:16Z 2026-05-13T12:43:16Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:16Z urn:sha1:208877d1e682536aa737748fffe4560956d3908a Prompt once at 'chezmoi init' time for the LUKS root partition (e.g. nvme0n1p2) and store it under [data].luksRootPartition in the per-machine chezmoi config. etc/kernel/cmdline.tmpl resolves the UUID at apply time via lsblk, so reinstalls only require re-entering the partition name. The etc deploy script now renders *.tmpl sources through 'chezmoi execute-template' and installs them without the suffix. The resolved UUID is folded into the onchange hash so the script re-runs when the UUID changes even if etc/ content is unchanged. just etc-status/diff transparently handle .tmpl sources (strip suffix for the live-path mapping, render before diffing). etc-re-add skips .tmpl files since template sources can't be reverse-rendered from the live file. 2026-05-13T12:43:11Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:11Z urn:sha1:c6b57e8dcce0608febf881a88f83decd5b2769d3 Prerequisite for TPM2 LUKS unlock. systemd-cryptenroll stores TPM hints in LUKS2 token metadata, so no cmdline options are needed beyond rd.luks.name (sd-encrypt auto-discovers enrolled tokens). After chezmoi apply: sudo mkinitcpio -P && sudo sbctl verify, then reboot. Passphrase still works; TPM enrollment is a separate step. 2026-04-21T00:24:58Z sommerfeld sommerfeld@sommerfeld.dev 2026-04-21T00:24:58Z urn:sha1:c1343b0e0cf1df3bd04e8ad824af4ff96369080c Track /etc/kernel/cmdline and enable default_uki/fallback_uki in linux.preset. Remove create-efi helper (UKI is self-contained; only needed once at install time). Update bootstrap to print the one-off efibootmgr command instead of launching create-efi.