From b5bbf6f901d3d70748c28f3e36b7f6d2cd4362c4 Mon Sep 17 00:00:00 2001
From: Majiir Paktu <majiir@nabaal.net>
Date: Sun, 13 Jul 2025 11:59:57 -0400
Subject: [PATCH] nixos/plymouth-tpm2-totp: init

---
 nixos/doc/manual/redirects.json               | 15 +++++
 .../manual/release-notes/rl-2511.section.md   |  2 +
 nixos/modules/module-list.nix                 |  1 +
 .../modules/system/boot/plymouth-tpm2-totp.md | 29 +++++++++
 .../system/boot/plymouth-tpm2-totp.nix        | 59 +++++++++++++++++++
 5 files changed, 106 insertions(+)
 create mode 100644 nixos/modules/system/boot/plymouth-tpm2-totp.md
 create mode 100644 nixos/modules/system/boot/plymouth-tpm2-totp.nix

diff --git a/nixos/doc/manual/redirects.json b/nixos/doc/manual/redirects.json
index 5a56af028e2d..297956be881b 100644
--- a/nixos/doc/manual/redirects.json
+++ b/nixos/doc/manual/redirects.json
@@ -1,4 +1,19 @@
 {
+  "module-boot-plymouth-tpm2-totp": [
+    "index.html#module-boot-plymouth-tpm2-totp"
+  ],
+  "module-boot-plymouth-tpm2-totp-quick-start": [
+    "index.html#module-boot-plymouth-tpm2-totp-quick-start"
+  ],
+  "module-boot-plymouth-tpm2-totp-quick-start-check": [
+    "index.html#module-boot-plymouth-tpm2-totp-quick-start-check"
+  ],
+  "module-boot-plymouth-tpm2-totp-quick-start-configure": [
+    "index.html#module-boot-plymouth-tpm2-totp-quick-start-configure"
+  ],
+  "module-boot-plymouth-tpm2-totp-quick-start-enable": [
+    "index.html#module-boot-plymouth-tpm2-totp-quick-start-enable"
+  ],
   "sec-override-nixos-test": [
     "index.html#sec-override-nixos-test"
   ],
diff --git a/nixos/doc/manual/release-notes/rl-2511.section.md b/nixos/doc/manual/release-notes/rl-2511.section.md
index fbc2a0a100dd..47826e05479d 100644
--- a/nixos/doc/manual/release-notes/rl-2511.section.md
+++ b/nixos/doc/manual/release-notes/rl-2511.section.md
@@ -88,6 +88,8 @@
 
 - The [Neat IP Address Planner](https://spritelink.github.io/NIPAP/) (NIPAP) can now be enabled through [services.nipap.enable](#opt-services.nipap.enable).
 
+- [tpm2-totp](https://github.com/tpm2-software/tpm2-totp) can now be used to show a TOTP during boot using Plymouth. Available as [boot.plymouth.tpm2-totp](#opt-boot.plymouth.tpm2-totp.enable).
+
 - [nix-store-veritysetup](https://github.com/nikstur/nix-store-veritysetup-generator), a systemd generator to unlock the Nix Store as a dm-verity protected block device. Available as [boot.initrd.nix-store-veritysetup](options.html#opt-boot.initrd.nix-store-veritysetup.enable).
 
 - [SuiteNumérique Docs](https://github.com/suitenumerique/docs), a collaborative note taking, wiki and documentation web platform and alternative to Notion or Outline. Available as [services.lasuite-docs](#opt-services.lasuite-docs.enable).
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 3bfe8ccb982c..7edc396f92ce 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -1829,6 +1829,7 @@
   ./system/boot/modprobe.nix
   ./system/boot/networkd.nix
   ./system/boot/nix-store-veritysetup.nix
+  ./system/boot/plymouth-tpm2-totp.nix
   ./system/boot/plymouth.nix
   ./system/boot/resolved.nix
   ./system/boot/shutdown.nix
diff --git a/nixos/modules/system/boot/plymouth-tpm2-totp.md b/nixos/modules/system/boot/plymouth-tpm2-totp.md
new file mode 100644
index 000000000000..aecec001ca63
--- /dev/null
+++ b/nixos/modules/system/boot/plymouth-tpm2-totp.md
@@ -0,0 +1,29 @@
+# tpm2-totp with Plymouth {#module-boot-plymouth-tpm2-totp}
+
+[tpm2-totp](https://github.com/tpm2-software/tpm2-totp) attests the trustworthiness of a device against a human using time-based one-time passwords. This module uses a `tpm2-totp` configuration to display a TOTP at boot using Plymouth.
+
+## Quick start {#module-boot-plymouth-tpm2-totp-quick-start}
+
+### 1. Enable modules {#module-boot-plymouth-tpm2-totp-quick-start-enable}
+
+```nix
+{
+  boot.plymouth.tpm2-totp.enable = true;
+
+  # Plymouth and systemd initrd/stage-1 are required:
+  boot.plymouth.enable = true;
+  boot.initrd.systemd.enable = true;
+}
+```
+
+Switch to the new configuration before proceeding to the next step.
+
+### 2. Configure `tpm2-totp` {#module-boot-plymouth-tpm2-totp-quick-start-configure}
+
+Generate a new TOTP secret and save the secret in your chosen authenticator app. See `man tpm2-totp` for commands and configuration examples.
+
+More information, including security considerations, can be found in the `README.md` in the [tpm2-totp](https://github.com/tpm2-software/tpm2-totp) repository. Be sure to select the tag for the version of `tpm2-totp` you have installed.
+
+### 3. Check configuration {#module-boot-plymouth-tpm2-totp-quick-start-check}
+
+Reboot and you should see the TOTP appear on the Plymouth boot screen. The TOTP should match the code displayed in your authenticator app (or the code immediately before/after).
diff --git a/nixos/modules/system/boot/plymouth-tpm2-totp.nix b/nixos/modules/system/boot/plymouth-tpm2-totp.nix
new file mode 100644
index 000000000000..2c688f82c6c2
--- /dev/null
+++ b/nixos/modules/system/boot/plymouth-tpm2-totp.nix
@@ -0,0 +1,59 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.boot.plymouth.tpm2-totp;
+in
+{
+  options.boot.plymouth.tpm2-totp = {
+    enable = lib.mkEnableOption "tpm2-totp using Plymouth" // {
+      description = "Whether to display a TOTP during boot using tpm2-totp and Plymouth.";
+    };
+
+    package = lib.mkPackageOption pkgs "tpm2-totp" { default = "tpm2-totp-with-plymouth"; };
+  };
+
+  meta = {
+    maintainers = with lib.maintainers; [ majiir ];
+    doc = ./plymouth-tpm2-totp.md;
+  };
+
+  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = config.boot.initrd.systemd.enable;
+        message = "boot.plymouth.tpm2-totp is only supported with boot.initrd.systemd.";
+      }
+    ];
+
+    environment.systemPackages = [
+      cfg.package
+    ];
+
+    boot.initrd.systemd.storePaths = [
+      "${cfg.package}/libexec/tpm2-totp/plymouth-tpm2-totp"
+      "${cfg.package}/lib/libtpm2-totp.so.0"
+      "${cfg.package}/lib/libtpm2-totp.so.0.0.0"
+    ];
+
+    # Based on https://github.com/tpm2-software/tpm2-totp/blob/9bcfdcbfdd42e0b2e1d7769852009608f889631c/dist/plymouth-tpm2-totp.service.in
+    boot.initrd.systemd.services.plymouth-tpm2-totp = {
+      description = "Display a TOTP during boot using Plymouth";
+      requires = [ "plymouth-start.service" ];
+      after = [
+        "plymouth-start.service"
+        "tpm2.target"
+      ];
+      wantedBy = [ "sysinit.target" ];
+      unitConfig.DefaultDependencies = false;
+      serviceConfig = {
+        Type = "exec";
+        ExecStart = "${cfg.package}/libexec/tpm2-totp/plymouth-tpm2-totp";
+      };
+    };
+  };
+}