From 6bbedff561b15995a4c2aae422affe27aba23b2c Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Thu, 30 Apr 2026 00:22:37 -0400
Subject: [PATCH] desktop: add oo7-daemon as the org.freedesktop.secrets
 provider

Without a secret-service implementation on the bus, libsecret clients
like flare fail at startup with 'The communication with libsecret
failed'. None of the desktop hosts had one wired up.

oo7-daemon is the matching pure-Rust implementation (same project as
the oo7 crate flare uses internally), without the GNOME plumbing that
gnome-keyring would drag in. Register the package's D-Bus service
file and systemd user unit, start the daemon at user login, and alias
the unit as dbus-org.freedesktop.secrets.service so D-Bus
auto-activation also resolves cleanly when the wantedBy start hasn't
fired yet.

Verified the toplevel build and that the resulting system carries the
oo7-daemon user unit, the dbus alias symlink, and the
default.target.wants entry.
---
 modules/desktop-common.nix     |  1 +
 modules/desktop-oo7-daemon.nix | 35 ++++++++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 modules/desktop-oo7-daemon.nix

diff --git a/modules/desktop-common.nix b/modules/desktop-common.nix
index d11a8a3..4bc791a 100644
--- a/modules/desktop-common.nix
+++ b/modules/desktop-common.nix
@@ -19,6 +19,7 @@
     ./desktop-networkmanager.nix
     ./desktop-age-secrets.nix
     ./desktop-lanzaboote-agenix.nix
+    ./desktop-oo7-daemon.nix
 
     inputs.disko.nixosModules.disko
 
diff --git a/modules/desktop-oo7-daemon.nix b/modules/desktop-oo7-daemon.nix
new file mode 100644
index 0000000..f5c44c3
--- /dev/null
+++ b/modules/desktop-oo7-daemon.nix
@@ -0,0 +1,35 @@
+# oo7-daemon — the pure-Rust implementation of the org.freedesktop.secrets
+# (libsecret) D-Bus interface, written by the same project that ships the
+# `oo7` Rust crate that flare uses internally.
+#
+# Without a secret-service provider on the bus, flare's `oo7::Keyring::new()`
+# call fails immediately at startup ("The communication with libsecret
+# failed"). Most NixOS desktops solve this by enabling
+# `services.gnome.gnome-keyring.enable`, but that drags GNOME plumbing
+# we don't otherwise want; oo7-daemon is the lightweight match for niri
+# desktops.
+#
+# The `oo7-server` package ships:
+#   - libexec/oo7-daemon                                (the binary)
+#   - share/dbus-1/services/org.freedesktop.secrets.service
+#   - share/systemd/user/oo7-daemon.service
+#
+# We register both with NixOS and start the daemon at user login so
+# libsecret clients can find the bus name without depending on D-Bus
+# auto-activation. We also alias the unit as
+# `dbus-org.freedesktop.secrets.service` so D-Bus activation falls back
+# to it cleanly when the daemon has not been started yet (e.g. inside a
+# fresh `systemd-run --user` scope).
+
+{ pkgs, ... }:
+{
+  environment.systemPackages = [ pkgs.oo7-server ];
+
+  services.dbus.packages = [ pkgs.oo7-server ];
+  systemd.packages = [ pkgs.oo7-server ];
+
+  systemd.user.services.oo7-daemon = {
+    wantedBy = [ "default.target" ];
+    aliases = [ "dbus-org.freedesktop.secrets.service" ];
+  };
+}