From 54ea969b61a163e84148c275dce81a33eb1387fe Mon Sep 17 00:00:00 2001 From: Jet Date: Sun, 31 May 2026 10:05:10 -0700 Subject: [PATCH 1/2] feat: add text editor notepad --- configuration.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/configuration.nix b/configuration.nix index 1db61f6..1af83ff 100644 --- a/configuration.nix +++ b/configuration.nix @@ -219,7 +219,6 @@ gnome-logs gnome-maps gnome-music - gnome-text-editor gnome-tour gnome-weather papers From 15d70f847257c71c889aacf2138f731cd52abcdc Mon Sep 17 00:00:00 2001 From: Jet Date: Sun, 31 May 2026 10:05:10 -0700 Subject: [PATCH 2/2] feat: add encryption --- home-modules/desktop.nix | 6 + hosts/framework-work/INSTALL-LUKS.md | 126 ++++++++++++++++++ hosts/framework-work/default.nix | 15 ++- .../framework-work/hardware-configuration.nix | 14 +- 4 files changed, 153 insertions(+), 8 deletions(-) create mode 100644 hosts/framework-work/INSTALL-LUKS.md diff --git a/home-modules/desktop.nix b/home-modules/desktop.nix index 83fa51b..6b93249 100644 --- a/home-modules/desktop.nix +++ b/home-modules/desktop.nix @@ -154,6 +154,12 @@ in "org/gnome/settings-daemon/plugins/media-keys" = { screensaver = [ "l" ]; }; + "org/gnome/desktop/screensaver" = { + lock-enabled = true; + }; + "org/gnome/desktop/lockdown" = { + disable-lock-screen = false; + }; "org/gnome/desktop/peripherals/touchpad" = { disable-while-typing = false; natural-scroll = true; diff --git a/hosts/framework-work/INSTALL-LUKS.md b/hosts/framework-work/INSTALL-LUKS.md new file mode 100644 index 0000000..f93a38a --- /dev/null +++ b/hosts/framework-work/INSTALL-LUKS.md @@ -0,0 +1,126 @@ +# Framework Work LUKS Reinstall + +This host uses the standard NixOS encrypted-root layout for a laptop: + +- UEFI `/boot` remains unencrypted so `systemd-boot` can load the kernel and initrd. +- The root partition is a LUKS container opened as `/dev/mapper/cryptroot`. +- `/` is an ext4 filesystem inside that LUKS container. +- The old plain swap partition is removed. Swap is provided by the global `zramSwap` config. +- GNOME autologin is enabled only when a LUKS root is configured, so boot requires the LUKS passphrase and screen unlock still requires the `jet` password. + +This follows the NixOS manual's manual install flow and the NixOS encrypted-root examples. It also matches what the Oneleet agent checks: root must be mounted from a `crypt` block-device stack. + +## Current Device Map + +- Internal disk: `/dev/nvme0n1` +- EFI partition: `/dev/nvme0n1p1`, UUID `D21C-F860` +- Root partition to encrypt: `/dev/nvme0n1p2`, PARTUUID `90aab143-4d2f-4a77-b08e-95fad9ee08af` +- Old plain swap partition to remove: `/dev/nvme0n1p3` + +## Before Rebooting To The Installer + +Back up the config and SSH keys to the EFI partition. The SSH key backup is temporarily stored on unencrypted `/boot`; delete it after the reinstall succeeds. + +```bash +sudo tar -C /home/jet/Documents -czf /boot/nix-config-before-luks.tar.gz nix-config +sudo tar -C /home/jet -czf /boot/jet-ssh-before-luks.tar.gz .ssh +``` + +## Installer Commands + +Boot the NixOS USB installer, open a terminal, and verify the disk layout first: + +```bash +lsblk -o NAME,PATH,SIZE,FSTYPE,MOUNTPOINTS,PARTUUID,UUID +``` + +Stop any active swap, remove the old plain swap partition, and expand the root partition to the end of the disk: + +```bash +sudo swapoff -a || true +sudo parted /dev/nvme0n1 --script rm 3 +sudo parted /dev/nvme0n1 --script resizepart 2 100% +sudo partprobe /dev/nvme0n1 +sudo udevadm settle +``` + +Verify that partition 2 still has the expected PARTUUID. If it changed, update `hosts/framework-work/hardware-configuration.nix` before installing. + +```bash +lsblk -o NAME,SIZE,PARTUUID /dev/nvme0n1 +``` + +Create and open the LUKS root container: + +```bash +sudo cryptsetup luksFormat /dev/disk/by-partuuid/90aab143-4d2f-4a77-b08e-95fad9ee08af +sudo cryptsetup open /dev/disk/by-partuuid/90aab143-4d2f-4a77-b08e-95fad9ee08af cryptroot +``` + +Create the root filesystem and mount it with the existing EFI partition: + +```bash +sudo mkfs.ext4 -L nixos-root /dev/mapper/cryptroot +sudo mount /dev/mapper/cryptroot /mnt +sudo mkdir -p /mnt/boot +sudo mount /dev/disk/by-uuid/D21C-F860 /mnt/boot +``` + +Restore this config and SSH keys: + +```bash +sudo mkdir -p /mnt/home/jet/Documents /mnt/home/jet +sudo tar -C /mnt/home/jet/Documents -xzf /mnt/boot/nix-config-before-luks.tar.gz +sudo tar -C /mnt/home/jet -xzf /mnt/boot/jet-ssh-before-luks.tar.gz +sudo chown -R 1000:100 /mnt/home/jet +sudo chmod 700 /mnt/home/jet/.ssh +sudo chmod 600 /mnt/home/jet/.ssh/id_ed25519 +``` + +Install NixOS from the flake: + +```bash +sudo nixos-install --flake /mnt/home/jet/Documents/nix-config#framework-work +``` + +Set the `jet` password for screen unlock and sudo: + +```bash +sudo nixos-enter --root /mnt -c 'passwd jet' +``` + +Remove the temporary unencrypted SSH key backup, then reboot: + +```bash +sudo rm -f /mnt/boot/jet-ssh-before-luks.tar.gz +sudo reboot +``` + +## After First Boot + +Check the block-device stack: + +```bash +lsblk -o NAME,TYPE,FSTYPE,MOUNTPOINTS +findmnt -no SOURCE,FSTYPE / +``` + +Expected shape: + +```text +nvme0n1p2 crypto_LUKS +└─cryptroot ext4 / +``` + +Then restart Oneleet and rerun the check: + +```bash +sudo systemctl restart oneleet-daemon +systemctl status oneleet-daemon +``` + +## References Checked + +- NixOS manual, manual installation and UEFI `/boot` mounting flow: `https://nixos.org/manual/nixos/stable/` +- NixOS Wiki, Full Disk Encryption examples: `https://nixos.wiki/wiki/Full_Disk_Encryption` +- ArchWiki, dm-crypt encrypted root tradeoffs and LUKS-on-partition layout: `https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system` diff --git a/hosts/framework-work/default.nix b/hosts/framework-work/default.nix index 0de139a..5362fe0 100644 --- a/hosts/framework-work/default.nix +++ b/hosts/framework-work/default.nix @@ -1,4 +1,8 @@ -{ ... }: +{ config, lib, ... }: + +let + hasLuksDevice = config.boot.initrd.luks.devices != { }; +in { imports = [ @@ -9,6 +13,15 @@ networking.hostName = "framework-work"; + # Once root is LUKS-encrypted, the disk passphrase is the boot password. + # GDM autologin avoids entering a second password after the disk is unlocked. + services.displayManager.autoLogin = { + enable = hasLuksDevice; + user = "jet"; + }; + + swapDevices = lib.mkForce [ ]; + fileSystems."/tmp" = { device = "tmpfs"; fsType = "tmpfs"; diff --git a/hosts/framework-work/hardware-configuration.nix b/hosts/framework-work/hardware-configuration.nix index e0e2732..4b7e6cc 100644 --- a/hosts/framework-work/hardware-configuration.nix +++ b/hosts/framework-work/hardware-configuration.nix @@ -22,8 +22,13 @@ boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; + boot.initrd.luks.devices.cryptroot = { + device = "/dev/disk/by-partuuid/90aab143-4d2f-4a77-b08e-95fad9ee08af"; + allowDiscards = true; + }; + fileSystems."/" = { - device = "/dev/disk/by-uuid/dfaa8624-c14f-4a72-8c5a-193d8294e5cb"; + device = "/dev/mapper/cryptroot"; fsType = "ext4"; options = [ "noatime" ]; }; @@ -37,12 +42,7 @@ ]; }; - swapDevices = [ - { - device = "/dev/disk/by-uuid/bd8d2630-7c9b-4ec1-8a00-b1a801003732"; - priority = -10; - } - ]; + swapDevices = [ ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;