titaniumtown/nixos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

oo7-daemon: unlock the Login keyring via systemd credential

Browse Source 
oo7-daemon was running but its 'Login' keyring stayed locked because
nothing supplied a master password, so libsecret clients (flare in
particular) blocked indefinitely on keyring.unlock().

The upstream user unit declares
  ImportCredential=oo7.keyring-encryption-password
which picks up matching credentials from systemd's per-service
credential machinery. Wire LoadCredential=oo7.keyring-encryption-password
to the agenix-decrypted secret so the daemon unlocks at session start
without any prompt.

The password itself is a fresh 64-byte urandom value encrypted to all
desktop recipients (admin SSH key + mreow + yarn TPM identities); it's
opaque to the user and never typed manually. Owner is primary so the
user-scope unit's LoadCredential read works without elevating.

Verified the activation script chowns the decrypted file primary:users
mode 0400, the user unit override carries the LoadCredential line, and
the resulting drv builds clean.
This commit is contained in:
Simon Gardling
2026-04-30 00:46:05 -04:00
parent 6bbedff561
commit 95968f6b47
4 changed files with 19 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
modules/desktop-age-secrets.nix
View File

@@ -66,5 +66,15 @@ in
group = "root";
};
# Master password for oo7-daemon's 'Login' keyring; the unit consumes it
# via systemd's ImportCredential machinery (see desktop-oo7-daemon.nix).
# Owner is `primary` so the user-scope systemd unit can LoadCredential it.
oo7-keyring-password = {
file = ../secrets/desktop/oo7-keyring-password.age;
mode = "0400";
owner = "primary";
group = "users";
};
};
}

9
modules/desktop-oo7-daemon.nix
View File

@@ -31,5 +31,14 @@
systemd.user.services.oo7-daemon = {
wantedBy = [ "default.target" ];
aliases = [ "dbus-org.freedesktop.secrets.service" ];
# Feed the keyring master password through systemd's credential
# machinery. The upstream unit declares
# `ImportCredential=oo7.keyring-encryption-password`, which picks up
# whatever LoadCredential leaves under $CREDENTIALS_DIRECTORY. agenix
# decrypts the secret to /run/agenix/oo7-keyring-password as the
# `primary` user, who is also the user this user-scope unit runs as.
serviceConfig.LoadCredential = [
"oo7.keyring-encryption-password:/run/agenix/oo7-keyring-password"
];
};
}