From c82e4afc4d1e4e3caffc411b5997f2ec53b83ad6 Mon Sep 17 00:00:00 2001
From: Sandwich <sandwich@archworks.co>
Date: Fri, 20 Feb 2026 21:51:12 +0100
Subject: [PATCH] fix(encryption): add warning before silent TPM2-to-keyfile
 fallback

---
 roles/configuration/tasks/encryption/tpm2.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/roles/configuration/tasks/encryption/tpm2.yml b/roles/configuration/tasks/encryption/tpm2.yml
index 8ed6c50..664543e 100644
--- a/roles/configuration/tasks/encryption/tpm2.yml
+++ b/roles/configuration/tasks/encryption/tpm2.yml
@@ -79,6 +79,12 @@
           chroot stderr={{ configuration_luks_tpm2_enroll_chroot.stderr | default('') }},
           host stderr={{ configuration_luks_tpm2_enroll_host.stderr | default('') }}
   rescue:
+    - name: Warn about TPM2 enrollment failure
+      ansible.builtin.debug:
+        msg: >-
+          TPM2 enrollment failed — falling back to keyfile auto-decrypt.
+          The system will use a keyfile instead of TPM2 for automatic LUKS unlock.
+
     - name: Fallback to keyfile auto-decrypt
       ansible.builtin.set_fact:
         configuration_luks_auto_method: keyfile