# oo7-daemon — the pure-Rust implementation of the org.freedesktop.secrets
# (libsecret) D-Bus interface, written by the same project that ships the
# `oo7` Rust crate that flare uses internally.
#
# Without a secret-service provider on the bus, flare's `oo7::Keyring::new()`
# call fails immediately at startup ("The communication with libsecret
# failed"). Most NixOS desktops solve this by enabling
# `services.gnome.gnome-keyring.enable`, but that drags GNOME plumbing
# we don't otherwise want; oo7-daemon is the lightweight match for niri
# desktops.
#
# The `oo7-server` package ships:
#   - libexec/oo7-daemon                                (the binary)
#   - share/dbus-1/services/org.freedesktop.secrets.service
#   - share/systemd/user/oo7-daemon.service
#
# We register both with NixOS and start the daemon at user login so
# libsecret clients can find the bus name without depending on D-Bus
# auto-activation. We also alias the unit as
# `dbus-org.freedesktop.secrets.service` so D-Bus activation falls back
# to it cleanly when the daemon has not been started yet (e.g. inside a
# fresh `systemd-run --user` scope).

{ pkgs, ... }:
{
  environment.systemPackages = [ pkgs.oo7-server ];

  services.dbus.packages = [ pkgs.oo7-server ];
  systemd.packages = [ pkgs.oo7-server ];

  systemd.user.services.oo7-daemon = {
    wantedBy = [ "default.target" ];
    aliases = [ "dbus-org.freedesktop.secrets.service" ];
    # Feed the keyring master password through systemd's credential
    # machinery. The upstream unit declares
    # `ImportCredential=oo7.keyring-encryption-password`, which picks up
    # whatever LoadCredential leaves under $CREDENTIALS_DIRECTORY. agenix
    # decrypts the secret to /run/agenix/oo7-keyring-password as the
    # `primary` user, who is also the user this user-scope unit runs as.
    serviceConfig.LoadCredential = [
      "oo7.keyring-encryption-password:/run/agenix/oo7-keyring-password"
    ];
  };
}