docs(tpm-disk-unlock): separate from secure boot

docs/astro.config.mjs

@@ -18,7 +18,10 @@ export default defineConfig({
         },
         {
           label: "Features",
-          autogenerate: { directory: "features" },
+          items: [
+            { slug: "features/secure-boot" },
+            { slug: "features/tpm-disk-unlock" },
+          ],
         },
       ],
     }),

docs/src/content/docs/features/secure-boot.mdx

@@ -52,23 +52,6 @@ sudo nix run nixpkgs#sbctl enroll-keys -- --microsoft
 </ol>
 </Steps>
 
-## TPM disk unlock
-
-With secure boot in place, TPM can be used to automatically unlock encrypted
-partitions. After enabling this feature in the BIOS, setup your partitions. For
-each encrypted partition, setup disk unlock by replacing `<encrypted-partion>`
-with its identifier, e.g. `nvme0n1p1`, `sda1` or `disk/by-label/NIXOS`.
-
-<Tabs syncKey="nix-environment">
-<TabItem label="NixOS">
-
-```sh "<encrypted-partition>"
-sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+7+12 /dev/<encrypted-partition>
-```
-
-</TabItem>
-</Tabs>
-
 ## Troubleshooting
 
 ### Outdated secure boot keys
@@ -112,42 +95,8 @@ sudo nix run nixpkgs#sbctl reset
 </ol>
 </Steps>
 
-### Outdated TPM disk unlock
-
-After an OS or UEFI update using TPM disk unlock, the disks may not be
-automatically unlocked and you will be prompted for the encryption password on
-boot. The following steps might resolve this issue.
-
-<Steps>
-<ol>
-<li>
-
-For each encrypted partition, remove disk unlock by replacing
-`<encrypted-partion>` with its identifier, e.g. `nvme0n1p1`, `sda1` or
-`disk/by-label/NIXOS`.
-
-<Tabs syncKey="nix-environment">
-<TabItem label="NixOS">
-
-```sh
-sudo systemd-cryptenroll --wipe-slot tpm2 /dev/<encrypted-partition>
-```
-
-</TabItem>
-</Tabs>
-
-</li>
-<li>
-
-[Setup TPM disk unlock](#tpm-disk-unlock) again.
-
-</li>
-</ol>
-</Steps>
-
 ## Further reading
 
 - Setting up
   [lanzaboote](https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md)
-- [TPM disk unlock](https://jnsgr.uk/2024/04/nixos-secure-boot-tpm-fde/#tpm-unlock-of-root-partition)
   on Nix

docs/src/content/docs/features/tpm-disk-unlock.mdx

@@ -0,0 +1,67 @@
+---
+title: TPM disk unlock
+description: Learn how to set up TPM disk unlock on NixOS.
+---
+
+import { Aside, Steps, Tabs, TabItem } from "@astrojs/starlight/components";
+
+<Aside>
+  This guide assumes that you have set up [secure boot](./secure-boot).
+</Aside>
+
+## Setup
+
+With secure boot in place, TPM can be used to automatically unlock encrypted
+partitions. After enabling this feature in the BIOS, setup your partitions. For
+each encrypted partition, setup disk unlock by replacing `<encrypted-partion>`
+with its identifier, e.g. `nvme0n1p1`, `sda1` or `disk/by-label/NIXOS`.
+
+<Tabs syncKey="nix-environment">
+<TabItem label="NixOS">
+
+```sh "<encrypted-partition>"
+sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+7+12 /dev/<encrypted-partition>
+```
+
+</TabItem>
+</Tabs>
+
+## Troubleshooting
+
+### Outdated TPM disk unlock
+
+After an OS or UEFI update using TPM disk unlock, the disks may not be
+automatically unlocked and you will be prompted for the encryption password on
+boot. The following steps might resolve this issue.
+
+<Steps>
+<ol>
+<li>
+
+For each encrypted partition, remove disk unlock by replacing
+`<encrypted-partion>` with its identifier, e.g. `nvme0n1p1`, `sda1` or
+`disk/by-label/NIXOS`.
+
+<Tabs syncKey="nix-environment">
+<TabItem label="NixOS">
+
+```sh
+sudo systemd-cryptenroll --wipe-slot tpm2 /dev/<encrypted-partition>
+```
+
+</TabItem>
+</Tabs>
+
+</li>
+<li>
+
+[Setup TPM disk unlock](#tpm-disk-unlock) again.
+
+</li>
+</ol>
+</Steps>
+
+## Further reading
+
+- [TPM disk unlock](https://jnsgr.uk/2024/04/nixos-secure-boot-tpm-fde/#tpm-unlock-of-root-partition)
+  on Nix