{ config, lib, pkgs, ... }:
let
  cfg = config.sane.programs.gnome-keyring;
in
{
  sane.programs.gnome-keyring = {
    packageUnwrapped = pkgs.rmDbusServices pkgs.gnome.gnome-keyring;

    persist.byStore.private = [
      ".local/share/keyrings"
    ];

    fs.".local/share/keyrings/Default_keyring.keyring" = {
      file.text = ''
        [keyring]
        display-name=Default keyring
        lock-on-idle=false
        lock-after=false
      '';
      wantedBy = [ config.sane.fs."${config.sane.persist.stores.private.origin}".unit ];
      # TODO: move gnome-keyring.service under our control and then i can
      #       ensure ordering here.
      wantedBeforeBy = [ ];  # don't create this as part of `multi-user.target`
    };
    fs.".local/share/keyrings/default" = {
      file.text = "Default_keyring.keyring";  #< no trailing newline
      wantedBy = [ config.sane.fs."${config.sane.persist.stores.private.origin}".unit ];
      # TODO: move gnome-keyring.service under our control and then i can
      #       ensure ordering here.
      wantedBeforeBy = [ ];  # don't create this as part of `multi-user.target`
    };

    services.gnome-keyring = {
      description = "gnome-keyring-daemon: secret provider";
      after = [ "graphical-session.target" ];
      wantedBy = [ "graphical-session.target" ];
      serviceConfig = {
        ExecStart = "/run/wrappers/bin/gnome-keyring-daemon --start --foreground --components=secrets";
        Type = "simple";
        Restart = "always";
        RestartSec = "20s";
      };
    };
  };

  security.wrappers.gnome-keyring-daemon = lib.mkIf cfg.enabled {
    owner = "root";
    group = "root";
    capabilities = "cap_ipc_lock=ep";
    source = "${cfg.package}/bin/gnome-keyring-daemon";
  };
}