From b4233b8f1c48140f89f138ac7ceb1767af37cc71 Mon Sep 17 00:00:00 2001
From: ahuston-0 <aliceghuston@gmail.com>
Date: Sun, 3 May 2026 17:33:56 -0400
Subject: [PATCH] luks migration, home migration fixes

---
 lib/systems.nix                     |  1 +
 modules/base.nix                    |  5 ++-
 systems/argiletum/configuration.nix | 14 ++++++--
 systems/argiletum/disk.nix          | 50 +++++++++++++++++------------
 systems/artemision/desktop.nix      |  3 ++
 users/alice/non-server.nix          | 10 +++++-
 6 files changed, 59 insertions(+), 24 deletions(-)

diff --git a/lib/systems.nix b/lib/systems.nix
index d93a81b..d07b471 100644
--- a/lib/systems.nix
+++ b/lib/systems.nix
@@ -167,6 +167,7 @@ rec {
           outputs
           server
           system
+          home
           ;
       };
       modules = [
diff --git a/modules/base.nix b/modules/base.nix
index c24efdb..ac7d700 100644
--- a/modules/base.nix
+++ b/modules/base.nix
@@ -3,6 +3,7 @@
   inputs,
   outputs,
   server,
+  home,
   system,
   ...
 }:
@@ -22,6 +23,9 @@
     mutableUsers = lib.mkDefault false;
   };
 
+  networking.firewall.enable = lib.mkDefault true;
+}
+// lib.optionalAttrs home {
   home-manager = {
     useGlobalPkgs = true;
     useUserPackages = true;
@@ -34,5 +38,4 @@
     };
   };
 
-  networking.firewall.enable = lib.mkDefault true;
 }
diff --git a/systems/argiletum/configuration.nix b/systems/argiletum/configuration.nix
index bc8da7b..84b823a 100644
--- a/systems/argiletum/configuration.nix
+++ b/systems/argiletum/configuration.nix
@@ -13,8 +13,18 @@
     useNetworkd = true;
   };
 
-  # Raspberry Pi 4 uses U-Boot / extlinux, not systemd-boot
-  boot.useSystemdBoot = lib.mkForce false;
+  # Raspberry Pi 4 uses U-Boot / extlinux — disable both GRUB and systemd-boot
+  # TPM 2.0 HAT: systemd initrd required for tpm2-device auto-unlock
+  # After first install, enroll with:
+  #   systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --recovery-key /dev/mmcblk0p3
+  boot = {
+    useSystemdBoot = lib.mkForce false;
+    loader.grub.enable = lib.mkOverride 0 false;
+    initrd = {
+      systemd.enable = true;
+      luks.devices."cryptroot".crypttabExtraOpts = [ "tpm2-device=auto" ];
+    };
+  };
 
   sops = {
     defaultSopsFile = ./secrets.yaml;
diff --git a/systems/argiletum/disk.nix b/systems/argiletum/disk.nix
index b577721..50c0ea1 100644
--- a/systems/argiletum/disk.nix
+++ b/systems/argiletum/disk.nix
@@ -6,16 +6,13 @@
         type = "disk";
         device = "/dev/mmcblk0";
         content = {
-          type = "table";
-          format = "mbr";
-          partitions = [
-            {
-              # Raspberry Pi firmware partition — must be vfat and first
-              name = "firmware";
-              type = "primary";
-              start = "1MiB";
-              end = "512MiB";
-              bootable = true;
+          type = "gpt";
+          partitions = {
+            # Raspberry Pi firmware partition — must be vfat and first
+            firmware = {
+              size = "256MiB";
+              type = "EF00";
+              priority = 1;
               content = {
                 type = "filesystem";
                 format = "vfat";
@@ -25,20 +22,33 @@
                   "dmask=0077"
                 ];
               };
-            }
-            {
-              # Root filesystem
-              name = "root";
-              type = "primary";
-              start = "512MiB";
-              end = "100%";
+            };
+            # NixOS boot partition — holds kernels/initrds for each generation
+            boot = {
+              size = "1GiB";
+              priority = 2;
               content = {
                 type = "filesystem";
                 format = "ext4";
-                mountpoint = "/";
+                mountpoint = "/boot";
               };
-            }
-          ];
+            };
+            # Root filesystem — LUKS-encrypted, unlocked via TPM 2.0 HAT
+            root = {
+              size = "100%";
+              priority = 3;
+              content = {
+                type = "luks";
+                name = "cryptroot";
+                settings.allowDiscards = true;
+                content = {
+                  type = "filesystem";
+                  format = "ext4";
+                  mountpoint = "/";
+                };
+              };
+            };
+          };
         };
       };
     };
diff --git a/systems/artemision/desktop.nix b/systems/artemision/desktop.nix
index 0892f5c..8c0f251 100644
--- a/systems/artemision/desktop.nix
+++ b/systems/artemision/desktop.nix
@@ -40,6 +40,9 @@
     dbus = {
       enable = true;
       implementation = "broker";
+      packages = with pkgs; [
+        gcr
+      ];
     };
   };
 
diff --git a/users/alice/non-server.nix b/users/alice/non-server.nix
index 992b6e0..4ebfbf7 100644
--- a/users/alice/non-server.nix
+++ b/users/alice/non-server.nix
@@ -207,6 +207,14 @@ in
         };
       };
     };
+    rbw = {
+      enable = true;
+      settings = {
+        lockTimeout = 300;
+        pinentry = pkgs.pinentry-gnome3;
+        email = "snowinginwonderland@gmail.com";
+      };
+    };
   };
 
   services.gnome-keyring.enable = true;
@@ -268,7 +276,7 @@ in
 
     nextcloud-client
     bitwarden-cli
-    bitwarden-menu
+    rofi-rbw-wayland
     wtype
     obsidian
     libreoffice-qt-fresh