diff --git a/modules/desktop-common.nix b/modules/desktop-common.nix
index d11a8a3..4bc791a 100644
--- a/modules/desktop-common.nix
+++ b/modules/desktop-common.nix
@@ -19,6 +19,7 @@
     ./desktop-networkmanager.nix
     ./desktop-age-secrets.nix
     ./desktop-lanzaboote-agenix.nix
+    ./desktop-oo7-daemon.nix
 
     inputs.disko.nixosModules.disko
 
diff --git a/modules/desktop-oo7-daemon.nix b/modules/desktop-oo7-daemon.nix
new file mode 100644
index 0000000..f5c44c3
--- /dev/null
+++ b/modules/desktop-oo7-daemon.nix
@@ -0,0 +1,35 @@
+# oo7-daemon — the pure-Rust implementation of the org.freedesktop.secrets
+# (libsecret) D-Bus interface, written by the same project that ships the
+# `oo7` Rust crate that flare uses internally.
+#
+# Without a secret-service provider on the bus, flare's `oo7::Keyring::new()`
+# call fails immediately at startup ("The communication with libsecret
+# failed"). Most NixOS desktops solve this by enabling
+# `services.gnome.gnome-keyring.enable`, but that drags GNOME plumbing
+# we don't otherwise want; oo7-daemon is the lightweight match for niri
+# desktops.
+#
+# The `oo7-server` package ships:
+#   - libexec/oo7-daemon                                (the binary)
+#   - share/dbus-1/services/org.freedesktop.secrets.service
+#   - share/systemd/user/oo7-daemon.service
+#
+# We register both with NixOS and start the daemon at user login so
+# libsecret clients can find the bus name without depending on D-Bus
+# auto-activation. We also alias the unit as
+# `dbus-org.freedesktop.secrets.service` so D-Bus activation falls back
+# to it cleanly when the daemon has not been started yet (e.g. inside a
+# fresh `systemd-run --user` scope).
+
+{ pkgs, ... }:
+{
+  environment.systemPackages = [ pkgs.oo7-server ];
+
+  services.dbus.packages = [ pkgs.oo7-server ];
+  systemd.packages = [ pkgs.oo7-server ];
+
+  systemd.user.services.oo7-daemon = {
+    wantedBy = [ "default.target" ];
+    aliases = [ "dbus-org.freedesktop.secrets.service" ];
+  };
+}