# oo7-daemon — the pure-Rust implementation of the org.freedesktop.secrets
# (libsecret) D-Bus interface, written by the same project that ships the
# `oo7` Rust crate that flare uses internally.
#
# Without a secret-service provider on the bus, flare's `oo7::Keyring::new()`
# call fails immediately at startup ("The communication with libsecret
# failed"). Most NixOS desktops solve this by enabling
# `services.gnome.gnome-keyring.enable`, but that drags GNOME plumbing
# we don't otherwise want; oo7-daemon is the lightweight match for niri
# desktops.
#
# The `oo7-server` package ships:
#   - libexec/oo7-daemon                                (the binary)
#   - share/dbus-1/services/org.freedesktop.secrets.service
#   - share/systemd/user/oo7-daemon.service
#
# We register both with NixOS and start the daemon at user login so
# libsecret clients can find the bus name without depending on D-Bus
# auto-activation. We also alias the unit as
# `dbus-org.freedesktop.secrets.service` so D-Bus activation falls back
# to it cleanly when the daemon has not been started yet (e.g. inside a
# fresh `systemd-run --user` scope).

{ pkgs, ... }:
let
  # 0.6.0 stops at LockedKeyring::open(login) when no keyring file exists,
  # so on first run the auto-created default collection is locked and a
  # client's Unlock() call routes to a prompt that never resolves (no
  # gnome-shell / kwallet / gcr-prompter on a niri desktop). Cherry-pick
  # upstream cf7b9a9 (PR #443) which uses the systemd credential / PAM
  # secret to unlock the new keyring directly. Drop the override when
  # nixpkgs ships an oo7-server release that includes the fix.
  oo7-server = pkgs.oo7-server.overrideAttrs (old: {
    patches = (old.patches or [ ]) ++ [
      ../patches/oo7-server/0001-server-Use-provided-secret-to-unlock-auto-created-de.patch
    ];
  });
in
{
  environment.systemPackages = [ oo7-server ];

  services.dbus.packages = [ oo7-server ];
  systemd.packages = [ oo7-server ];

  systemd.user.services.oo7-daemon = {
    wantedBy = [ "default.target" ];
    aliases = [ "dbus-org.freedesktop.secrets.service" ];
    # Feed the keyring master password through systemd's credential
    # machinery. The upstream unit declares
    # `ImportCredential=oo7.keyring-encryption-password`, which picks up
    # whatever LoadCredential leaves under $CREDENTIALS_DIRECTORY. agenix
    # decrypts the secret to /run/agenix/oo7-keyring-password as the
    # `primary` user, who is also the user this user-scope unit runs as.
    serviceConfig.LoadCredential = [
      "oo7.keyring-encryption-password:/run/agenix/oo7-keyring-password"
    ];
  };
}