diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 7cabe43..9a7fd94 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -24,10 +24,17 @@ jobs:
     - name: build
       run: NIXPKGS_ALLOW_UNFREE=1 nix build --impure
 
+    - name: set up test secret
+      run: |
+        mv ./tests/test-secret ./tests/test-secret.bak
+        echo -n "${{ secrets.NABALU_ENROLL_SECRET }}" | tee ./tests/test-secret
+
     - name: check flake (runs tests)
       run: NIXPKGS_ALLOW_UNFREE=1 nix flake check --impure --log-format internal-json
       timeout-minutes: 15
-    
+      env:
+        CI: "true"
+
     - name: get test derivation path
       id: test-derivation
       if: always()
@@ -40,7 +47,7 @@ jobs:
       if: always()
       with:
         name: test-screenshot
-        path: ${{ steps.test-derivation.outputs.drvpath }}/test.png
+        path: ${{ steps.test-derivation.outputs.drvpath }}/test-*.png
         retention-days: 1
 
     - name: show flake output attributes
@@ -54,3 +61,7 @@ jobs:
 
     - name: osqueryd version
       run: ./result/bin/osqueryd --version
+
+    - name: clean up after tests
+      if: always()
+      run: mv ./tests/test-secret.bak ./tests/test-secret
diff --git a/README.md b/README.md
index 31e8f4b..f73e671 100644
--- a/README.md
+++ b/README.md
@@ -80,4 +80,4 @@ Then start the `kolide-launcher.service` service.
 
 [NixOS tests](https://nixos.org/manual/nixos/stable/index.html#sec-nixos-tests)
 live in the [./tests](./tests) directory and are included via flake checks.
-They are able to be run via the `nix flake check` command.
+They are currently intended to run in CI only.
diff --git a/tests/kolide-launcher.nix b/tests/kolide-launcher.nix
index 044d7ea..602e611 100644
--- a/tests/kolide-launcher.nix
+++ b/tests/kolide-launcher.nix
@@ -25,13 +25,36 @@ pkgs.nixosTest {
 
     services.xserver.enable = true;
     services.xserver.displayManager = {
-      lightdm.enable = true;
+      gdm = {
+        enable = true;
+        debug = true;
+        wayland = true;
+      };
       autoLogin = {
         enable = true;
         user = "alice";
       };
     };
-    services.xserver.desktopManager.mate.enable = true;
+    services.xserver.desktopManager.gnome.enable = true;
+    services.xserver.desktopManager.gnome.debug = true;
+
+    systemd.user.services = {
+      "org.gnome.Shell@wayland" = {
+        serviceConfig = {
+          ExecStart = [
+            # Clear the list before overriding it.
+            ""
+            # Eval API is now internal so Shell needs to run in unsafe mode.
+            "${pkgs.gnome.gnome-shell}/bin/gnome-shell --unsafe-mode"
+          ];
+        };
+      };
+    };
+
+    # Make gnome extensions available
+    #environment.systemPackages = lib.filter (e: e ? extensionUuid) (lib.attrValues pkgs.gnomeExtensions);
+    #nixpkgs.config.allowBroken = true;
+    #nixpkgs.config.allowAliases = false;
 
     # This just quiets some log spam we don't care about
     hardware.pulseaudio.enable = true;
@@ -40,40 +63,65 @@ pkgs.nixosTest {
     system.stateVersion = "23.05";
   };
 
+  enableOCR = true;
+
   testScript = { nodes, ... }:
     let
       user = nodes.machine.users.users.alice;
+      uid = toString user.uid;
+      bus = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/${uid}/bus";
+      gdbus = "${bus} gdbus";
+      su = command: "su - ${user.name} -c '${command}'";
+      eval = "call --session -d org.gnome.Shell -o /org/gnome/Shell -m org.gnome.Shell.Eval";
+      startingUp = su "${gdbus} ${eval} Main.layoutManager._startingUp";
+      launchConsole = su "${bus} gapplication launch org.gnome.Console";
+      wmClass = su "${gdbus} ${eval} global.display.focus_window.wm_class";
     in
     ''
       machine.start()
 
-      # TODO: currently launcher will shut itself down if its secret file doesn't exist,
-      # so we don't get all the way through setup and launcher doesn't stay running.
-      # In the future, we'll want to validate setup and that the service is running.
+      with subtest("gnome login"):
+        machine.wait_for_unit("display-manager.service")
+        # machine.wait_for_file("/run/user/${uid}/wayland-0")
+        # machine.wait_for_unit("default.target", "${user.name}")
+        machine.screenshot("test-screen2.png")
 
-      with subtest("kolide-launcher service starts"):
-        machine.wait_for_unit("kolide-launcher.service")
-        machine.sleep(10)
-        machine.systemctl("stop kolide-launcher.service")
+      with subtest("gnome shell"):
+        machine.wait_until_succeeds("${startingUp} | grep -q 'true,..false'")
+        machine.screenshot("test-screen3.png")
+
+      with subtest("open gnome console"):
+        machine.send_key("esc")
+        machine.succeed("${launchConsole}")
+        machine.wait_until_succeeds("${wmClass} | grep -q 'true,...org.gnome.Console'")
+        machine.sleep(20)
+        machine.screenshot("test-screen4.png")
+
+      with subtest("enable appindicator extension"):
+        machine.succeed("${su "gnome-extensions enable appindicatorsupport@rgcjonas.gmail.com"}")
+        machine.screenshot("test-screen5.png")
+
+      with subtest("set up secret file"):
+        machine.copy_from_host("${./test-secret}", "/etc/kolide-k2/secret")
 
-      with subtest("launcher set up correctly"):
+      with subtest("launcher service runs and is set up correctly"):
+        machine.systemctl("stop kolide-launcher.service")
+        machine.systemctl("start kolide-launcher.service")
+        machine.wait_for_unit("kolide-launcher.service")
         machine.wait_for_file("/var/kolide-k2/k2device.kolide.com/debug.json")
+        machine.sleep(60)
+        machine.screenshot("test-screen7.png")
+        machine.wait_until_succeeds("pgrep osqueryd")
 
-      with subtest("get a screenshot"):
-        machine.wait_for_unit("display-manager.service")
+      with subtest("launcher desktop runs"):
+        machine.wait_for_file("/var/kolide-k2/k2device.kolide.com/kolide.png")
+        machine.wait_for_file("/var/kolide-k2/k2device.kolide.com/menu.json")
+        machine.screenshot("test-screen8.png")
 
-        machine.wait_for_file("${user.home}/.Xauthority")
-        machine.succeed("xauth merge ${user.home}/.Xauthority")
+        # print(machine.get_screen_text())
 
-        machine.wait_until_succeeds("pgrep marco")
-        machine.wait_for_window("marco")
-        machine.wait_until_succeeds("pgrep mate-panel")
-        machine.wait_for_window("Top Panel")
-        machine.wait_for_window("Bottom Panel")
-        machine.wait_until_succeeds("pgrep caja")
-        machine.wait_for_window("Caja")
-        machine.sleep(20)
-        machine.screenshot("test.png")
+        # machine.wait_until_succeeds("pgrep -U ${uid} launcher")
+        # machine.screenshot("test-screen9.png")
 
       machine.shutdown()
     '';
diff --git a/tests/test-secret b/tests/test-secret
new file mode 100644
index 0000000..3263943
--- /dev/null
+++ b/tests/test-secret
@@ -0,0 +1 @@
+test-secret
\ No newline at end of file