Successful boot!

mkosi.conf

@@ -22,4 +22,5 @@ Checksum=true
 
 [Host]
 Incremental=true
-ToolsTree=default
+ToolsTree=default
+RuntimeSize=12G

mkosi.images/base/mkosi.conf

@@ -4,7 +4,6 @@ Format=directory
 [Content]
 Bootable=no
 SourceDateEpoch=0
-MakeInitrd=no
 CleanPackageMetadata=no
 Packages=
 	# Minimal package set to define a basic Arch Linux installation

mkosi.images/base/mkosi.skeleton/etc/mkinitcpio.conf.d/mkinitcpio.conf

@@ -1,5 +1,6 @@
 # vim:set ft=sh
 HOOKS=(
+    base
     systemd
     keyboard
     modconf

mkosi.images/base/mkosi.skeleton/etc/mkinitcpio.conf.d/usr/share/mkinitcpio/hook.preset

@@ -1,8 +0,0 @@
-# mkinitcpio preset file for the '%PKGBASE%' package
-
-ALL_kver="/boot/vmlinuz-%PKGBASE%"
-ALL_microcode=(/boot/*-ucode.img)
-
-PRESETS=('default')
-
-default_image="/boot/initramfs-%PKGBASE%.img"

mkosi.images/base/mkosi.skeleton/etc/vconsole.conf

@@ -1 +0,0 @@
-KEYMAP=de

mkosi.images/initrd/mkosi.conf

@@ -9,6 +9,7 @@ MakeInitrd=yes
 CleanPackageMetadata=yes
 Packages=
 	systemd
+	udev
 	util-linux    
 	# for emergency logins
 	bash

mkosi.images/initrd/mkosi.extra/etc/crypttab

@@ -0,0 +1 @@
+root    /dev/gpt-auto-root-luks -

mkosi.images/initrd/mkosi.extra/etc/fstab

@@ -0,0 +1 @@
+/dev/mapper/root   /sysroot      btrfs    defaults,x-mount.mkdir      0  1

mkosi.images/server/mkosi.conf

@@ -25,18 +25,25 @@ Packages=
 
 KernelCommandLine=
 	# Output fewer messages during boot. Errors will not be suppressed.
-	quiet
-	# prevents access to a shell if boot fails
+	#quiet
+	# prevent access to a shell if boot fails
 	rd.shell=0
-	# prevents access to a shell if the root is corrupt
+	# prevent access to a shell if the root is corrupt
 	rd.emergency=reboot
 	# prevents untrusted code from running (the default behavior will just print an error to dmesg)
 	systemd.verity_root_options=panic-on-corruption
-	# reboots system 30 seconds after a kernel panic
+	# reboot system 30 seconds after a kernel panic
 	panic=30
 	# enable apparmor (enables kernel lockdown mode, requires signed kernel modules)
-	lsm=landlock,lockdown,yama,integrity,apparmor,bpf audit=1 audit_backlog_limit=256
+	lsm=landlock,lockdown,yama,integrity,apparmor,bpf audit=1 audit_backlog_limit=8192
 	# enable automatic unlock of rootfs via TPM2 security chip
-	rd.luks.options=tpm2-device=auto
 	# enable unlock of rootfs via FIDO2 security token
-	rd.luks.options=fido2-device=auto
+	# try automatic unlock of rootfs with empty password
+	# prevent timeout for entering the password during boot
+	# bypass dm-crypt internal workqueue and process read and write requests synchronously
+	rd.luks.options=tpm2-device=auto,fido2-device=auto,try-empty-password=true,timeout=0,no-read-workqueue,no-write-workqueue
+	rootflags=x-systemd.device-timeout=0
+	# explicitly use rootfs from fstab (workaround current systemd limitations)
+	root=fstab
+	# use German keyboard layout
+	vconsole.keymap=de-latin1

mkosi.images/server/mkosi.extra/usr/lib/repart.d/50-root.conf

@@ -4,6 +4,8 @@ Format=btrfs
 FactoryReset=true
 Label=%M-root
 Encrypt=key-file
+SizeMinBytes=5G
+MakeDirectories=/usr
 MakeDirectories=/etc
 MakeDirectories=/var
 MakeDirectories=/var/log

mkosi.images/server/mkosi.extra/usr/lib/repart.d/70-swap.conf

@@ -0,0 +1,9 @@
+[Partition]
+Type=swap
+Format=swap
+FactoryReset=true
+Encrypt=key-file
+SizeMinBytes=1G
+SizeMaxBytes=4G
+Weight=333
+Priority=1