feat: disable luks unlock timeout

- bump claude-code to v2.1.150

features/bootloader.nix

@@ -3,11 +3,23 @@
     {
       config,
       lib,
+      pkgs,
       inputs,
       ...
     }:
     let
       cfg = config.features.bootloader;
+      keyDir = "/etc/secrets/initrd";
+
+      mkIpString =
+        {
+          address,
+          gateway,
+          netmask,
+          interface,
+          ...
+        }:
+        "${address}::${gateway}:${netmask}::${interface}:none";
     in
     {
       imports = [ inputs.lanzaboote.nixosModules.lanzaboote ];
@@ -23,15 +35,92 @@
           default = "systemd-boot";
         };
 
-        plymouth.enable = lib.mkEnableOption "plymouth boot splash";
+        configurationLimit = lib.mkOption {
+          type = lib.types.int;
+          default = 10;
+        };
+
+        consoleFont = lib.mkOption {
+          type = lib.types.str;
+          default = "ter-v32n";
+        };
+
+        resumeDevice = lib.mkOption {
+          type = lib.types.nullOr lib.types.str;
+          default = null;
+        };
+
+        initrdSsh = {
+          enable = lib.mkEnableOption "remote LUKS unlock via ssh in initrd";
+
+          networkModule = lib.mkOption {
+            type = lib.types.str;
+          };
+
+          ip = {
+            enable = lib.mkEnableOption "static IP for initrd (otherwise DHCP)";
+
+            address = lib.mkOption {
+              type = lib.types.str;
+            };
+
+            gateway = lib.mkOption {
+              type = lib.types.str;
+            };
+
+            netmask = lib.mkOption {
+              type = lib.types.str;
+              default = "255.255.255.0";
+            };
+
+            interface = lib.mkOption {
+              type = lib.types.str;
+            };
+          };
+
+          authorizedKeys = lib.mkOption {
+            type = lib.types.listOf lib.types.str;
+            default = [ ];
+          };
+        };
       };
 
       config = lib.mkIf cfg.enable (
         lib.mkMerge [
           {
             boot.loader.efi.canTouchEfiVariables = true;
-            # request the largest framebuffer uefi offers; plymouth inherits it
+
-            boot.loader.systemd-boot.consoleMode = "max";
+            # lanzaboote inherits editor + configurationLimit from systemd-boot.*
+            boot.loader.systemd-boot = {
+              editor = false;
+              inherit (cfg) configurationLimit;
+            };
+
+            boot.initrd.systemd.enable = true;
+
+            # wait forever at the luks prompt instead of timing out the device
+            # job; applies whether the prompt is local or forwarded via initrd ssh
+            boot.initrd.systemd.settings.Manager.DefaultDeviceTimeoutSec = "infinity";
+
+            # block simpledrm so fbcon defers until the gpu driver binds; avoids
+            # the simpledrm -> real-driver fbcon transition that mangles console
+            # text and leaves the luks prompt typing offset from the visible
+            # surface. hosts must put the gpu driver in initrd (nixos-hardware
+            # does this for amd; manual hardware.amdgpu.initrd.enable on others)
+            boot.kernelParams = [ "initcall_blacklist=simpledrm_platform_driver_init" ];
+
+            # verbose boot: kernel messages and systemd unit lines visible end
+            # to end. trade-off: the luks prompt will be interleaved with the
+            # last few "Starting/Started ..." lines (no upstream fix exists
+            # without plymouth). boot.initrd.verbose is a no-op under
+            # systemd-initrd, so not set here.
+
+            # readable luks prompt at panel-native dpi
+            console = {
+              earlySetup = true;
+              font = cfg.consoleFont;
+              packages = [ pkgs.terminus_font ];
+            };
           }
 
           (lib.mkIf (cfg.mode == "systemd-boot") {
@@ -46,26 +135,39 @@
             };
           })
 
-          (lib.mkIf cfg.plymouth.enable {
+          (lib.mkIf (cfg.resumeDevice != null) {
-            # plymouth needs systemd-initrd to render the luks prompt cleanly
+            boot.resumeDevice = cfg.resumeDevice;
-            boot.initrd.systemd.enable = true;
+          })
 
-            # host is responsible for early-KMS so plymouth lands on the gpu driver,
+          (lib.mkIf cfg.initrdSsh.enable {
-            # not simpledrm (e.g. hardware.amdgpu.initrd.enable on amd hosts)
+            boot.initrd.availableKernelModules = [ cfg.initrdSsh.networkModule ];
-            boot.plymouth.enable = true;
-            stylix.targets.plymouth.logoAnimated = false;
 
-            boot.kernelParams = [
+            boot.kernelParams = lib.mkIf cfg.initrdSsh.ip.enable [
-              "quiet"
+              "ip=${mkIpString cfg.initrdSsh.ip}"
-              "splash"
-              "loglevel=3"
-              "rd.systemd.show_status=false"
-              "rd.udev.log_level=3"
-              "udev.log_priority=3"
-              "plymouth.force-scale=1"
             ];
-            boot.consoleLogLevel = 0;
+
-            boot.initrd.verbose = false;
+            boot.initrd.network = {
+              enable = true;
+              ssh = {
+                enable = true;
+                port = 22;
+                hostKeys = [
+                  "${keyDir}/ssh_host_rsa_key"
+                  "${keyDir}/ssh_host_ed25519_key"
+                ];
+                inherit (cfg.initrdSsh) authorizedKeys;
+              };
+            };
+
+            # forward LUKS password prompt to the ssh session (systemd-initrd idiom)
+            boot.initrd.systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
+
+            boot.initrd.systemd.network.networks = lib.mkIf (!cfg.initrdSsh.ip.enable) {
+              "10-initrd" = {
+                matchConfig.Driver = cfg.initrdSsh.networkModule;
+                networkConfig.DHCP = "yes";
+              };
+            };
           })
         ]
       );

features/desktop.nix

@@ -105,11 +105,7 @@
           # bluetooth
           (lib.mkIf cfg.bluetooth.enable {
             hardware.bluetooth.enable = true;
-            services.blueman = {
+            services.blueman.enable = true;
-              enable = true;
-              # TEMP:(@janezicmatej) workaround for nixpkgs#514705, fix in nixpkgs#517250
-              withApplet = false;
-            };
           })
 
           # apps

features/initrd-ssh.nix

@@ -1,90 +0,0 @@
-{
-  nixos =
-    { lib, config, ... }:
-    let
-      cfg = config.features.initrd-ssh;
-      keyDir = "/etc/secrets/initrd";
-
-      mkIpString =
-        {
-          address,
-          gateway,
-          netmask,
-          interface,
-          ...
-        }:
-        "${address}::${gateway}:${netmask}::${interface}:none";
-    in
-    {
-      options.features.initrd-ssh = {
-        enable = lib.mkEnableOption "initrd ssh";
-
-        ip = {
-          enable = lib.mkEnableOption "static IP for initrd (otherwise DHCP)";
-
-          address = lib.mkOption {
-            type = lib.types.str;
-          };
-
-          gateway = lib.mkOption {
-            type = lib.types.str;
-          };
-
-          netmask = lib.mkOption {
-            type = lib.types.str;
-            default = "255.255.255.0";
-          };
-
-          interface = lib.mkOption {
-            type = lib.types.str;
-          };
-        };
-
-        authorizedKeys = lib.mkOption {
-          type = lib.types.listOf lib.types.str;
-          default = [ ];
-        };
-
-        networkModule = lib.mkOption {
-          type = lib.types.str;
-        };
-      };
-
-      config = lib.mkIf cfg.enable {
-        boot.initrd.availableKernelModules = [ cfg.networkModule ];
-        boot.initrd.kernelModules = [ cfg.networkModule ];
-        boot.kernelParams = lib.mkIf cfg.ip.enable [
-          "ip=${mkIpString cfg.ip}"
-        ];
-
-        boot.initrd.systemd.enable = true;
-
-        # remote unlock may take a while; don't let device units give up
-        boot.initrd.systemd.settings.Manager.DefaultDeviceTimeoutSec = "infinity";
-
-        boot.initrd.network = {
-          enable = true;
-          ssh = {
-            enable = true;
-            port = 22;
-            hostKeys = [
-              "${keyDir}/ssh_host_rsa_key"
-              "${keyDir}/ssh_host_ed25519_key"
-            ];
-            inherit (cfg) authorizedKeys;
-          };
-        };
-
-        # systemd-networkd retries DHCP indefinitely, unlike udhcpc
-        boot.initrd.systemd.network.networks = lib.mkIf (!cfg.ip.enable) {
-          "10-initrd" = {
-            matchConfig.Driver = cfg.networkModule;
-            networkConfig.DHCP = "yes";
-          };
-        };
-
-        # forward LUKS password prompt to the SSH session
-        boot.initrd.systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
-      };
-    };
-}

features/power.nix

@@ -8,11 +8,6 @@
       options.features.power = {
         enable = lib.mkEnableOption "laptop power management";
 
-        resumeDevice = lib.mkOption {
-          type = lib.types.nullOr lib.types.str;
-          default = null;
-        };
-
         lidSwitch = lib.mkOption {
           type = lib.types.str;
           default = "suspend-then-hibernate";
@@ -40,8 +35,6 @@
       };
 
       config = lib.mkIf cfg.enable {
-        boot.resumeDevice = lib.mkIf (cfg.resumeDevice != null) cfg.resumeDevice;
-
         services.logind.settings.Login = {
           HandleLidSwitch = cfg.lidSwitch;
           HandlePowerKey = cfg.powerKey;

flake.lock

@@ -106,11 +106,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777713215,
+        "lastModified": 1779699611,
-        "narHash": "sha256-8GzXDOXckDWwST8TY5DbwYFjdvQLlP7K9CLSVx6iTTo=",
+        "narHash": "sha256-EcCaSTKnmg2o4wLKaN1aqQFomwyhO7ik0bX9COdyCas=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "63b4e7e6cf75307c1d26ac3762b886b5b0247267",
+        "rev": "5ba0c9555c28685e57fa54c7a25e42c7efdbfc8d",
         "type": "github"
       },
       "original": {
@@ -156,11 +156,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1777988971,
+        "lastModified": 1778716662,
-        "narHash": "sha256-qIoWPDs+0/8JecyYgE3gpKQxW/4bLW/gp45vow9ioCQ=",
+        "narHash": "sha256-m1Yf0wZ8j1OHjTc2UwHwyQRSnNeSgLJOd7q5Y45hzi4=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "0678d8986be1661af6bb555f3489f2fdfc31f6ff",
+        "rev": "f7c1a2d347e4c52d5fb8d10cb4d94b5884e546fb",
         "type": "github"
       },
       "original": {
@@ -177,11 +177,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777988971,
+        "lastModified": 1778716662,
-        "narHash": "sha256-qIoWPDs+0/8JecyYgE3gpKQxW/4bLW/gp45vow9ioCQ=",
+        "narHash": "sha256-m1Yf0wZ8j1OHjTc2UwHwyQRSnNeSgLJOd7q5Y45hzi4=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "0678d8986be1661af6bb555f3489f2fdfc31f6ff",
+        "rev": "f7c1a2d347e4c52d5fb8d10cb4d94b5884e546fb",
         "type": "github"
       },
       "original": {
@@ -273,11 +273,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1778248595,
+        "lastModified": 1779726696,
-        "narHash": "sha256-dhFgEjoeJMYN/7OY6xfxS799YB4IjbbYXTjyGIJyLpc=",
+        "narHash": "sha256-/p37CB5n6Wpw250b0Lq0CYwNq2D8uGKzDoBulyLcQqA=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "fdb2ccba9d5e1238d32e0c4a3ec1a277efa80c1d",
+        "rev": "1a95e2efb477959b70b4a14c51035975c0481df6",
         "type": "github"
       },
       "original": {
@@ -317,11 +317,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1778285091,
+        "lastModified": 1779753859,
-        "narHash": "sha256-4YwkGkjvLD0EB7rQGCRA9J/zgwrnTL20dJd7Wmnicj0=",
+        "narHash": "sha256-Gas7USOemLElUJmNgaaM2ysFT8rJdgiEcCbmizNanFs=",
         "owner": "nix-community",
         "repo": "neovim-nightly-overlay",
-        "rev": "cca2a2d1c03f763fdcd7066791363d792313c641",
+        "rev": "857c4b359c105ad56822e64fd35f9bf9f7947d70",
         "type": "github"
       },
       "original": {
@@ -333,11 +333,11 @@
     "neovim-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1778266020,
+        "lastModified": 1779753612,
-        "narHash": "sha256-qoydKalrn/QGsGYVRicz0Hzb7bfGmV7Z9CnVONXN/Lc=",
+        "narHash": "sha256-AQtTDiUZ5VdcHEqGgBldJH0a6AJBF8ZjcmpB65x93t0=",
         "owner": "neovim",
         "repo": "neovim",
-        "rev": "b7d8a41d91dcfebe9a5f3d0cf2f0bb0b8d59e32e",
+        "rev": "86b2751cada65c6b1bc28e2fa7fb4e832b540542",
         "type": "github"
       },
       "original": {
@@ -348,11 +348,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1778143761,
+        "lastModified": 1779258371,
-        "narHash": "sha256-lkesY6x2X2qxlqLM7CT2iM/0rP2JB7fruPN3h8POXmI=",
+        "narHash": "sha256-j1iZsLy6oFApqR1oiDmHhvkwxXqcNi0aoSJj643LuwU=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "3bcaa367d4c550d687a17ac792fd5cda214ee871",
+        "rev": "c97bc4d15bd3473dd095e8e8ba57330ab1943a77",
         "type": "github"
       },
       "original": {
@@ -364,11 +364,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1778124196,
+        "lastModified": 1779694939,
-        "narHash": "sha256-pYEytCNic/czazbV9r3tbQ6BZzqRBg/41x2dIC5ymOo=",
+        "narHash": "sha256-Ly4j75O8ICaSQx3uxPnwk2x7PMF0XQvn5r0c3yBA7FI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "68a8af93ff4297686cb68880845e61e5e2e41d92",
+        "rev": "f9d8b65950353691ab56561e7c73d2e1063d810b",
         "type": "github"
       },
       "original": {
@@ -395,11 +395,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1778360830,
+        "lastModified": 1779822296,
-        "narHash": "sha256-tD44tgf123UcERx3cC91rwefFmGmlTd2M1QdL6d5iLc=",
+        "narHash": "sha256-ADNQLZ1hWlmMGTWiNXGpBB+D/gxffzXoi8EuQuXBMyU=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "82cbc979e10cf2b893566a0f259daf5e1f26c887",
+        "rev": "c941bbb954ab629631f1850c7411a18aeca17693",
         "type": "github"
       },
       "original": {
@@ -411,11 +411,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1778003029,
+        "lastModified": 1779467186,
-        "narHash": "sha256-q/nkKLDtHIyLjZpKhWk3cSK5IYsFqtMd6UtXF3ddjgA=",
+        "narHash": "sha256-nOesoDCiXcUftqbRBMz9tt4blI5PvljMWbm3kuCA+0s=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "0c88e1f2bdb93d5999019e99cb0e61e1fe2af4c5",
+        "rev": "b77b3de8775677f84492abe84635f87b0e153f0f",
         "type": "github"
       },
       "original": {
@@ -427,11 +427,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1777954456,
+        "lastModified": 1779560665,
-        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
+        "narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
+        "rev": "64c08a7ca051951c8eae34e3e3cb1e202fe36786",
         "type": "github"
       },
       "original": {
@@ -583,11 +583,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1778104276,
+        "lastModified": 1779768303,
-        "narHash": "sha256-/DSSnU0LLmOTG/OCgGwYpxP6+5YvxRx2g/GhI4x6aCU=",
+        "narHash": "sha256-glV4wcBH6fWub101jWj3c577T5Af8jOg6CdZPKKi4N8=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "18ed8d270231e067fe2739998479ed5d7c659c2c",
+        "rev": "8fbb6e8561ee72b57916c4ffd0e173fa42070dc2",
         "type": "github"
       },
       "original": {

flake/hosts.nix

@@ -55,7 +55,6 @@ in
         "git"
         "gnupg"
         "harmonia"
-        "initrd-ssh"
         "localisation"
         "neovim"
         "networkmanager"

hosts/fw16/configuration.nix

@@ -10,16 +10,13 @@
     inputs.nixos-hardware.nixosModules.framework-16-amd-ai-300-series
   ];
 
-  features.bootloader.plymouth.enable = true;
+  features.bootloader.resumeDevice = "/dev/mapper/vg0-swap";
   features.desktop.bluetooth.enable = true;
   features.gnupg.yubikey.enable = true;
   features.udev = {
     ledger.enable = true;
     keyboard-zsa.enable = true;
   };
-  features.power.resumeDevice = "/dev/disk/by-uuid/ff4750e7-3a9f-42c2-bb68-c458a6560540";
-
-  boot.kernelParams = [ "pcie_aspm.policy=powersupersave" ];
 
   programs.nix-ld.libraries = options.programs.nix-ld.libraries.default;
 

hosts/fw16/hardware-configuration.nix

@@ -37,10 +37,7 @@
   fileSystems."/boot" = {
     device = "/dev/disk/by-uuid/42D9-FAFD";
     fsType = "vfat";
-    options = [
+    options = [ "umask=0077" ];
-      "fmask=0022"
-      "dmask=0022"
-    ];
   };
 
   swapDevices = [

hosts/tower/configuration.nix

@@ -8,7 +8,11 @@
   features.nix-settings.towerCache.enable = false;
   features.bootloader = {
     mode = "lanzaboote";
-    plymouth.enable = true;
+    initrdSsh = {
+      enable = true;
+      networkModule = "r8169";
+      authorizedKeys = userKeys.sshAuthorizedKeys;
+    };
   };
   features.desktop.bluetooth.enable = true;
   features.gnupg.yubikey.enable = true;
@@ -16,17 +20,14 @@
     ledger.enable = true;
     keyboard-zsa.enable = true;
   };
-  features.initrd-ssh = {
-    networkModule = "r8169";
-    authorizedKeys = userKeys.sshAuthorizedKeys;
-  };
 
   # nix store signing
   sops.secrets.nix-signing-key.sopsFile = ../../secrets/tower.yaml;
   nix.settings.secret-key-files = [ config.sops.secrets.nix-signing-key.path ];
 
   boot.kernelParams = [ "btusb.reset=1" ];
-  # early kms so plymouth lands on amdgpu, not simpledrm
+  # pairs with bootloader's simpledrm initcall blacklist: amdgpu owns fbcon
+  # from the start, no driver-swap mode-set
   hardware.amdgpu.initrd.enable = true;
 
   services.udisks2.enable = true;

lib/mkHost.nix

@@ -98,6 +98,14 @@ nixpkgs.lib.nixosSystem {
       ];
     }
 
+    # cap unit stop timeout so a single misbehaving app (electron, etc) can't
+    # block poweroff for the full 90s default. user-scope cap is required for
+    # session-N.scope to honor it. see discourse/49711
+    {
+      systemd.settings.Manager.DefaultTimeoutStopSec = "10s";
+      systemd.user.extraConfig = "DefaultTimeoutStopSec=10s";
+    }
+
     featureEnableModule
     hostConfig
   ]

packages/claude-code/package.nix

@@ -2,7 +2,7 @@
 
 let
   inherit (pkgs) stdenv lib;
-  version = "2.1.138";
+  version = "2.1.150";
 
   # upstream ships platform-native binaries as separate npm packages under
   # @anthropic-ai/claude-code-<platform>; the wrapper package is just a
@@ -10,19 +10,19 @@ let
   sources = {
     "x86_64-linux" = {
       slug = "linux-x64";
-      hash = "sha256-MGYEPPO4O84Egb5Ym/9f56l+TzPqogpSabosvHTIJZg=";
+      hash = "sha256-vS6qYp/0AkvrJ0OeLWHkSjlKFtSMfNICAqFZy7OFn1I=";
     };
     "aarch64-linux" = {
       slug = "linux-arm64";
-      hash = "sha256-LWBtOAjPDFtLP93TNrsd8bPHJd7VKK6J90CRxUp1/XQ=";
+      hash = "sha256-QJI1zxZDPpiIck77zF6X3LZ4U/KVLhkCq1cqShv+Gmc=";
     };
     "x86_64-darwin" = {
       slug = "darwin-x64";
-      hash = "sha256-tkupKzb+XAPmdCRNoT90cfVLKUar3FCTRgufiMVuVPc=";
+      hash = "sha256-poYlXoPJFqHpWOCaTG+FJaXNz9/qrRz6tBqZMKGnoZg=";
     };
     "aarch64-darwin" = {
       slug = "darwin-arm64";
-      hash = "sha256-jmB4t11BI1LKanuuXRJv5IBe8a9gSrFvTMP3KarsioU=";
+      hash = "sha256-3PZQEuHmWp8VHx6cf0KoBxm8R/GztbHtnZJkb4bAveA=";
     };
   };