From ae48df3ebb08c524af1af76e5c5ec54ce217a68d Mon Sep 17 00:00:00 2001
From: rnhmjoj <rnhmjoj@inventati.org>
Date: Sun, 4 Feb 2024 15:59:03 +0100
Subject: [PATCH 1/2] nixos/getty: add option to autologin once per boot

---
 nixos/modules/services/ttys/getty.nix | 32 +++++++++++++++++++++++----
 1 file changed, 28 insertions(+), 4 deletions(-)

diff --git a/nixos/modules/services/ttys/getty.nix b/nixos/modules/services/ttys/getty.nix
index 22ae9c27e5bc..3578f4ba8773 100644
--- a/nixos/modules/services/ttys/getty.nix
+++ b/nixos/modules/services/ttys/getty.nix
@@ -7,14 +7,26 @@ let
 
   baseArgs = [
     "--login-program" "${cfg.loginProgram}"
-  ] ++ optionals (cfg.autologinUser != null) [
+  ] ++ optionals (cfg.autologinUser != null && !cfg.autologinOnce) [
     "--autologin" cfg.autologinUser
   ] ++ optionals (cfg.loginOptions != null) [
     "--login-options" cfg.loginOptions
   ] ++ cfg.extraArgs;
 
   gettyCmd = args:
-    "@${pkgs.util-linux}/sbin/agetty agetty ${escapeShellArgs baseArgs} ${args}";
+    "${pkgs.util-linux}/sbin/agetty ${escapeShellArgs baseArgs} ${args}";
+
+  autologinScript = ''
+    otherArgs="--noclear --keep-baud $TTY 115200,38400,9600 $TERM";
+    ${lib.optionalString cfg.autologinOnce ''
+      autologged="/run/agetty.autologged"
+      if test "$TTY" = tty1 && ! test -f "$autologged"; then
+        touch "$autologged"
+        exec ${gettyCmd "$otherArgs --autologin ${cfg.autologinUser}"}
+      fi
+    ''}
+    exec ${gettyCmd "$otherArgs"}
+  '';
 
 in
 
@@ -40,6 +52,16 @@ in
         '';
       };
 
+      autologinOnce = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          If enabled the automatic login will only happen in the first tty
+          once per boot. This can be useful to avoid retyping the account
+          password on systems with full disk encrypted.
+        '';
+      };
+
       loginProgram = mkOption {
         type = types.path;
         default = "${pkgs.shadow}/bin/login";
@@ -106,9 +128,11 @@ in
 
     systemd.services."getty@" =
       { serviceConfig.ExecStart = [
-          "" # override upstream default with an empty ExecStart
-          (gettyCmd "--noclear --keep-baud %I 115200,38400,9600 $TERM")
+          # override upstream default with an empty ExecStart
+          ""
+          (pkgs.writers.writeDash "getty" autologinScript)
         ];
+        environment.TTY = "%I";
         restartIfChanged = false;
       };
 

From 3577aef3543bd49a4f7b9ab62543f0191ac90b6a Mon Sep 17 00:00:00 2001
From: rnhmjoj <rnhmjoj@inventati.org>
Date: Tue, 9 Apr 2024 08:35:59 +0200
Subject: [PATCH 2/2] doc/release-notes: mention getty.autologinOnce

---
 nixos/doc/manual/release-notes/rl-2405.section.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md
index 06c3e1949b70..187b29b7ede0 100644
--- a/nixos/doc/manual/release-notes/rl-2405.section.md
+++ b/nixos/doc/manual/release-notes/rl-2405.section.md
@@ -275,6 +275,9 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
   existing process, but will need to start that process from gdb (so it is a
   child). Or you can set `boot.kernel.sysctl."kernel.yama.ptrace_scope"` to 0.
 
+- The new option `services.getty.autologinOnce` was added to limit the automatic login to once per boot and on the first tty only.
+  When using full disk encryption, this option allows to unlock the system without retyping the passphrase while keeping the other ttys protected.
+
 - The netbird module now allows running multiple tunnels in parallel through [`services.netbird.tunnels`](#opt-services.netbird.tunnels).
 
 - [Nginx virtual hosts](#opt-services.nginx.virtualHosts) using `forceSSL` or