diff --git a/configuration.nix b/configuration.nix index 1af83ff..1db61f6 100644 --- a/configuration.nix +++ b/configuration.nix @@ -219,6 +219,7 @@ gnome-logs gnome-maps gnome-music + gnome-text-editor gnome-tour gnome-weather papers diff --git a/home-modules/desktop.nix b/home-modules/desktop.nix index 6b93249..83fa51b 100644 --- a/home-modules/desktop.nix +++ b/home-modules/desktop.nix @@ -154,12 +154,6 @@ in "org/gnome/settings-daemon/plugins/media-keys" = { screensaver = [ "l" ]; }; - "org/gnome/desktop/screensaver" = { - lock-enabled = true; - }; - "org/gnome/desktop/lockdown" = { - disable-lock-screen = false; - }; "org/gnome/desktop/peripherals/touchpad" = { disable-while-typing = false; natural-scroll = true; diff --git a/hosts/framework-work/INSTALL-LUKS.md b/hosts/framework-work/INSTALL-LUKS.md deleted file mode 100644 index f93a38a..0000000 --- a/hosts/framework-work/INSTALL-LUKS.md +++ /dev/null @@ -1,126 +0,0 @@ -# Framework Work LUKS Reinstall - -This host uses the standard NixOS encrypted-root layout for a laptop: - -- UEFI `/boot` remains unencrypted so `systemd-boot` can load the kernel and initrd. -- The root partition is a LUKS container opened as `/dev/mapper/cryptroot`. -- `/` is an ext4 filesystem inside that LUKS container. -- The old plain swap partition is removed. Swap is provided by the global `zramSwap` config. -- GNOME autologin is enabled only when a LUKS root is configured, so boot requires the LUKS passphrase and screen unlock still requires the `jet` password. - -This follows the NixOS manual's manual install flow and the NixOS encrypted-root examples. It also matches what the Oneleet agent checks: root must be mounted from a `crypt` block-device stack. - -## Current Device Map - -- Internal disk: `/dev/nvme0n1` -- EFI partition: `/dev/nvme0n1p1`, UUID `D21C-F860` -- Root partition to encrypt: `/dev/nvme0n1p2`, PARTUUID `90aab143-4d2f-4a77-b08e-95fad9ee08af` -- Old plain swap partition to remove: `/dev/nvme0n1p3` - -## Before Rebooting To The Installer - -Back up the config and SSH keys to the EFI partition. The SSH key backup is temporarily stored on unencrypted `/boot`; delete it after the reinstall succeeds. - -```bash -sudo tar -C /home/jet/Documents -czf /boot/nix-config-before-luks.tar.gz nix-config -sudo tar -C /home/jet -czf /boot/jet-ssh-before-luks.tar.gz .ssh -``` - -## Installer Commands - -Boot the NixOS USB installer, open a terminal, and verify the disk layout first: - -```bash -lsblk -o NAME,PATH,SIZE,FSTYPE,MOUNTPOINTS,PARTUUID,UUID -``` - -Stop any active swap, remove the old plain swap partition, and expand the root partition to the end of the disk: - -```bash -sudo swapoff -a || true -sudo parted /dev/nvme0n1 --script rm 3 -sudo parted /dev/nvme0n1 --script resizepart 2 100% -sudo partprobe /dev/nvme0n1 -sudo udevadm settle -``` - -Verify that partition 2 still has the expected PARTUUID. If it changed, update `hosts/framework-work/hardware-configuration.nix` before installing. - -```bash -lsblk -o NAME,SIZE,PARTUUID /dev/nvme0n1 -``` - -Create and open the LUKS root container: - -```bash -sudo cryptsetup luksFormat /dev/disk/by-partuuid/90aab143-4d2f-4a77-b08e-95fad9ee08af -sudo cryptsetup open /dev/disk/by-partuuid/90aab143-4d2f-4a77-b08e-95fad9ee08af cryptroot -``` - -Create the root filesystem and mount it with the existing EFI partition: - -```bash -sudo mkfs.ext4 -L nixos-root /dev/mapper/cryptroot -sudo mount /dev/mapper/cryptroot /mnt -sudo mkdir -p /mnt/boot -sudo mount /dev/disk/by-uuid/D21C-F860 /mnt/boot -``` - -Restore this config and SSH keys: - -```bash -sudo mkdir -p /mnt/home/jet/Documents /mnt/home/jet -sudo tar -C /mnt/home/jet/Documents -xzf /mnt/boot/nix-config-before-luks.tar.gz -sudo tar -C /mnt/home/jet -xzf /mnt/boot/jet-ssh-before-luks.tar.gz -sudo chown -R 1000:100 /mnt/home/jet -sudo chmod 700 /mnt/home/jet/.ssh -sudo chmod 600 /mnt/home/jet/.ssh/id_ed25519 -``` - -Install NixOS from the flake: - -```bash -sudo nixos-install --flake /mnt/home/jet/Documents/nix-config#framework-work -``` - -Set the `jet` password for screen unlock and sudo: - -```bash -sudo nixos-enter --root /mnt -c 'passwd jet' -``` - -Remove the temporary unencrypted SSH key backup, then reboot: - -```bash -sudo rm -f /mnt/boot/jet-ssh-before-luks.tar.gz -sudo reboot -``` - -## After First Boot - -Check the block-device stack: - -```bash -lsblk -o NAME,TYPE,FSTYPE,MOUNTPOINTS -findmnt -no SOURCE,FSTYPE / -``` - -Expected shape: - -```text -nvme0n1p2 crypto_LUKS -└─cryptroot ext4 / -``` - -Then restart Oneleet and rerun the check: - -```bash -sudo systemctl restart oneleet-daemon -systemctl status oneleet-daemon -``` - -## References Checked - -- NixOS manual, manual installation and UEFI `/boot` mounting flow: `https://nixos.org/manual/nixos/stable/` -- NixOS Wiki, Full Disk Encryption examples: `https://nixos.wiki/wiki/Full_Disk_Encryption` -- ArchWiki, dm-crypt encrypted root tradeoffs and LUKS-on-partition layout: `https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system` diff --git a/hosts/framework-work/default.nix b/hosts/framework-work/default.nix index 5362fe0..0de139a 100644 --- a/hosts/framework-work/default.nix +++ b/hosts/framework-work/default.nix @@ -1,8 +1,4 @@ -{ config, lib, ... }: - -let - hasLuksDevice = config.boot.initrd.luks.devices != { }; -in +{ ... }: { imports = [ @@ -13,15 +9,6 @@ in networking.hostName = "framework-work"; - # Once root is LUKS-encrypted, the disk passphrase is the boot password. - # GDM autologin avoids entering a second password after the disk is unlocked. - services.displayManager.autoLogin = { - enable = hasLuksDevice; - user = "jet"; - }; - - swapDevices = lib.mkForce [ ]; - fileSystems."/tmp" = { device = "tmpfs"; fsType = "tmpfs"; diff --git a/hosts/framework-work/hardware-configuration.nix b/hosts/framework-work/hardware-configuration.nix index 4b7e6cc..e0e2732 100644 --- a/hosts/framework-work/hardware-configuration.nix +++ b/hosts/framework-work/hardware-configuration.nix @@ -22,13 +22,8 @@ boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; - boot.initrd.luks.devices.cryptroot = { - device = "/dev/disk/by-partuuid/90aab143-4d2f-4a77-b08e-95fad9ee08af"; - allowDiscards = true; - }; - fileSystems."/" = { - device = "/dev/mapper/cryptroot"; + device = "/dev/disk/by-uuid/dfaa8624-c14f-4a72-8c5a-193d8294e5cb"; fsType = "ext4"; options = [ "noatime" ]; }; @@ -42,7 +37,12 @@ ]; }; - swapDevices = [ ]; + swapDevices = [ + { + device = "/dev/disk/by-uuid/bd8d2630-7c9b-4ec1-8a00-b1a801003732"; + priority = -10; + } + ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;