unl0kr: ensure it runs on the same tty the session was initialized on

hosts/common/programs/unl0kr/default.nix

@@ -73,6 +73,10 @@ in
             ${lib.getExe' pkgs.inotify-tools "inotifywait"} --timeout 4 --event create --event delete /mnt/persist/private /run/gocryptfs
           else
             echo "starting unl0kr"
+            # switch back to the tty our session is running on (in case the user tabbed away after logging in),
+            # as only that TTY is sure to have echo disabled.
+            # this is racy, but when we race it's obvious from the UI that your password is being echo'd
+            ${lib.getExe' pkgs.kbd "chvt"} ${builtins.toString cfg.config.vt}
             unl0kr > /run/gocryptfs/private.key.incoming &&
               cp /run/gocryptfs/private.key.incoming /run/gocryptfs/private.key
             echo "unl0kr exited"