From ceb2237bbb0803c526d8289acd3efd4af4aec595 Mon Sep 17 00:00:00 2001
From: Sandwich <sandwich@archworks.co>
Date: Sun, 31 May 2026 12:39:24 +0200
Subject: [PATCH] fix(encryption): add tpm2-tss dracut module explicitly for
 TPM2 LUKS

---
 roles/configuration/tasks/encryption/dracut.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/roles/configuration/tasks/encryption/dracut.yml b/roles/configuration/tasks/encryption/dracut.yml
index f0bcd53..4ea0518 100644
--- a/roles/configuration/tasks/encryption/dracut.yml
+++ b/roles/configuration/tasks/encryption/dracut.yml
@@ -14,11 +14,11 @@
       install_items+=" {{ configuration_luks_keyfile_path }} "
       {% endif %}
       {% if configuration_luks_auto_method == 'tpm2' %}
+      add_dracutmodules+=" tpm2-tss "
       install_items+=" {{ configuration_luks_tpm2_token_lib | default('') }} "
       {% endif %}
     mode: "0644"
 
-# --- Kernel cmdline: write rd.luks.* args for dracut ---
 - name: Ensure kernel cmdline directory exists
   ansible.builtin.file:
     path: /mnt/etc/kernel
@@ -58,7 +58,6 @@
     mode: "0644"
     content: "{{ _dracut_kernel_cmdline }}\n"
 
-# --- BLS entries: RedHat-specific ---
 - name: Update BLS entries with LUKS kernel cmdline
   when: os_family == 'RedHat'
   vars: