{ config, lib, pkgs, ... }:
{
  sane.programs.gnome-keyring = {
    packageUnwrapped = pkgs.gnome.gnome-keyring;

    persist.byStore.private = [
      ".local/share/keyrings"
    ];

    # TODO: factor into a native sane.fs primitive (i.e. fs.$entry.text = ... with some "no-clobber" option)
    fs.".local/share/keyrings/Default_keyring.keyring" = {
      generated.command = [
        "cp --no-clobber ${./Default_keyring.keyring} /home/colin/.local/share/keyrings/Default_keyring.keyring"
      ];
      wantedBy = [ config.sane.fs."${config.sane.persist.stores.private.origin}".unit ];
      # TODO: move gnome-keyring.service under our control and then i can
      #       ensure ordering here.
      wantedBeforeBy = [ ];  # don't create this as part of `multi-user.target`
    };
    fs.".local/share/keyrings/default" = {
      generated.command = [
        "cp --no-clobber ${./default} /home/colin/.local/share/keyrings/default"
      ];
      wantedBy = [ config.sane.fs."${config.sane.persist.stores.private.origin}".unit ];
      # TODO: move gnome-keyring.service under our control and then i can
      #       ensure ordering here.
      wantedBeforeBy = [ ];  # don't create this as part of `multi-user.target`
    };
  };

  # adds gnome-keyring as a xdg-data-portal (xdg.portal)
  # TODO: the gnome-keyring which this puts on PATH isn't sandboxed!
  #   nixos service doesn't even let it be pluggable
  services.gnome.gnome-keyring = lib.mkIf config.sane.programs.gnome-keyring.enabled {
    enable = true;
  };
}