{ config, lib, pkgs, ... }:
let
  init-keyring = pkgs.static-nix-shell.mkBash {
    pname = "init-keyring";
    src = ./.;
  };
in
{
  sane.programs.gnome-keyring = {
    packageUnwrapped = pkgs.gnome.gnome-keyring;

    persist.byStore.private = [
      ".local/share/keyrings"
    ];

    fs.".local/share/keyrings/default" = {
      generated.command = [ "${init-keyring}/bin/init-keyring" ];
      # wantedBy = [ config.sane.fs."/home/colin/private".unit ];
      wantedBeforeBy = [ ];  # don't created this as part of `multi-user.target`
    };
  };

  # adds gnome-keyring as a xdg-data-portal (xdg.portal)
  # TODO: the gnome-keyring which this puts on PATH isn't sandboxed!
  #   nixos service doesn't even let it be pluggable
  services.gnome.gnome-keyring = lib.mkIf config.sane.programs.gnome-keyring.enabled {
    enable = true;
  };
}