2024-02-23 07:19:14 +00:00
{ config , lib , pkgs , . . . }:
2024-02-23 09:09:54 +00:00
let
cfg = config . sane . programs . gnome-keyring ;
in
2024-02-23 07:19:14 +00:00
{
sane . programs . gnome-keyring = {
2024-02-23 09:09:54 +00:00
packageUnwrapped = pkgs . rmDbusServices pkgs . gnome . gnome-keyring ;
2024-02-23 09:49:35 +00:00
sandbox . method = " b w r a p " ;
sandbox . whitelistDbus = [ " u s e r " ] ;
sandbox . extraRuntimePaths = [
2024-03-16 09:21:28 +00:00
" k e y r i n g " #< only needs keyring/control, but has to *create* that.
# "keyring/control"
2024-02-23 09:49:35 +00:00
] ;
sandbox . capabilities = [
# ipc_lock: used to `mlock` the secrets so they don't get swapped out.
# this is optional, and systemd likely doesn't propagate it anyway
" i p c _ l o c k "
] ;
2024-02-23 07:19:14 +00:00
persist . byStore . private = [
2024-02-23 09:49:35 +00:00
# N.B.: BE CAREFUL WITH THIS.
# gnome-keyring-daemon likes to turn symlinks into dirs. i.e. if it detects that `~/.local/share/keyrings` is a symlink
# it WILL try to `unlink` it and recreate it as an empty directory.
# the only reason i can get away with a symlink here is because gkd is sandboxed... with ~/.local/share/keyrings as an explicit mountpoint instead of as a symlink.
# remove the sandbox, and this breaks.
2024-02-23 07:19:14 +00:00
" . l o c a l / s h a r e / k e y r i n g s "
] ;
2024-02-23 09:49:35 +00:00
fs . " . l o c a l / s h a r e / k e y r i n g s / d e f a u l t " = {
file . text = " D e f a u l t _ k e y r i n g . k e y r i n g " ; #< no trailing newline
2024-02-28 14:19:45 +00:00
# wantedBy = [ config.sane.fs."${config.sane.persist.stores.private.origin}".unit ];
2024-02-23 09:49:35 +00:00
wantedBeforeBy = [ #< don't create this as part of `multi-user.target`
" g n o m e - k e y r i n g . s e r v i c e " # TODO: sane.programs should declare this dependency for us
] ;
} ;
# N.B.: certain keyring names have special significance
# `login.keyring` is forcibly encrypted to the user's password, so that pam gnome-keyring can unlock it on login.
# - it does this re-encryption forcibly, any time it wants to write to the keyring.
2024-02-23 08:14:09 +00:00
fs . " . l o c a l / s h a r e / k e y r i n g s / D e f a u l t _ k e y r i n g . k e y r i n g " = {
2024-02-23 08:57:41 +00:00
file . text = ''
[ keyring ]
display-name = Default keyring
lock-on-idle = false
lock-after = false
'' ;
2024-02-28 14:19:45 +00:00
# wantedBy = [ config.sane.fs."${config.sane.persist.stores.private.origin}".unit ];
2024-02-23 09:49:35 +00:00
wantedBeforeBy = [ #< don't create this as part of `multi-user.target`
" g n o m e - k e y r i n g . s e r v i c e "
] ;
2024-02-23 07:19:14 +00:00
} ;
2024-02-23 09:09:54 +00:00
services . gnome-keyring = {
description = " g n o m e - k e y r i n g - d a e m o n : s e c r e t p r o v i d e r " ;
after = [ " g r a p h i c a l - s e s s i o n . t a r g e t " ] ;
wantedBy = [ " g r a p h i c a l - s e s s i o n . t a r g e t " ] ;
serviceConfig = {
2024-02-23 09:28:39 +00:00
ExecStart = " ${ cfg . package } / b i n / g n o m e - k e y r i n g - d a e m o n - - s t a r t - - f o r e g r o u n d - - c o m p o n e n t s = s e c r e t s " ;
2024-03-16 09:21:28 +00:00
ExecStartPre = " ${ pkgs . coreutils } / b i n / m k d i r - m 0 7 0 0 - p % t / k e y r i n g " ;
2024-02-23 09:09:54 +00:00
Type = " s i m p l e " ;
Restart = " a l w a y s " ;
RestartSec = " 2 0 s " ;
} ;
} ;
2024-02-23 07:19:14 +00:00
} ;
}