Simon Gardling
59c417c470
oo7-server 0.6.0 only feeds the systemd / PAM secret to existing keyrings discovered on disk. On first run no keyring exists yet, the daemon creates an empty 'Login' collection via LockedKeyring::open, the credential is silently ignored, and any client Unlock() routes to a prompt that nothing on a niri desktop can satisfy. Patches/oo7-server/0001-... is upstream commit cf7b9a9 (PR #443) regenerated relative to the package's sourceRoot ('server/'). It switches the auto-created default-keyring path to UnlockedKeyring::open when a secret is available. The override threads the patch through pkgs.oo7-server.overrideAttrs in modules/desktop-oo7-daemon.nix and uses the patched derivation for both services.dbus.packages and systemd.packages so the user unit and D-Bus activation file land from the same store path. Cargo.lock is untouched, so the existing cargoDeps hash stays valid. Drop the override once nixpkgs ships an oo7-server release that includes the fix (anything past 0.6.0).
59 lines
2.6 KiB
Nix
59 lines
2.6 KiB
Nix
# oo7-daemon — the pure-Rust implementation of the org.freedesktop.secrets
|
|
# (libsecret) D-Bus interface, written by the same project that ships the
|
|
# `oo7` Rust crate that flare uses internally.
|
|
#
|
|
# Without a secret-service provider on the bus, flare's `oo7::Keyring::new()`
|
|
# call fails immediately at startup ("The communication with libsecret
|
|
# failed"). Most NixOS desktops solve this by enabling
|
|
# `services.gnome.gnome-keyring.enable`, but that drags GNOME plumbing
|
|
# we don't otherwise want; oo7-daemon is the lightweight match for niri
|
|
# desktops.
|
|
#
|
|
# The `oo7-server` package ships:
|
|
# - libexec/oo7-daemon (the binary)
|
|
# - share/dbus-1/services/org.freedesktop.secrets.service
|
|
# - share/systemd/user/oo7-daemon.service
|
|
#
|
|
# We register both with NixOS and start the daemon at user login so
|
|
# libsecret clients can find the bus name without depending on D-Bus
|
|
# auto-activation. We also alias the unit as
|
|
# `dbus-org.freedesktop.secrets.service` so D-Bus activation falls back
|
|
# to it cleanly when the daemon has not been started yet (e.g. inside a
|
|
# fresh `systemd-run --user` scope).
|
|
|
|
{ pkgs, ... }:
|
|
let
|
|
# 0.6.0 stops at LockedKeyring::open(login) when no keyring file exists,
|
|
# so on first run the auto-created default collection is locked and a
|
|
# client's Unlock() call routes to a prompt that never resolves (no
|
|
# gnome-shell / kwallet / gcr-prompter on a niri desktop). Cherry-pick
|
|
# upstream cf7b9a9 (PR #443) which uses the systemd credential / PAM
|
|
# secret to unlock the new keyring directly. Drop the override when
|
|
# nixpkgs ships an oo7-server release that includes the fix.
|
|
oo7-server = pkgs.oo7-server.overrideAttrs (old: {
|
|
patches = (old.patches or [ ]) ++ [
|
|
../patches/oo7-server/0001-server-Use-provided-secret-to-unlock-auto-created-de.patch
|
|
];
|
|
});
|
|
in
|
|
{
|
|
environment.systemPackages = [ oo7-server ];
|
|
|
|
services.dbus.packages = [ oo7-server ];
|
|
systemd.packages = [ oo7-server ];
|
|
|
|
systemd.user.services.oo7-daemon = {
|
|
wantedBy = [ "default.target" ];
|
|
aliases = [ "dbus-org.freedesktop.secrets.service" ];
|
|
# Feed the keyring master password through systemd's credential
|
|
# machinery. The upstream unit declares
|
|
# `ImportCredential=oo7.keyring-encryption-password`, which picks up
|
|
# whatever LoadCredential leaves under $CREDENTIALS_DIRECTORY. agenix
|
|
# decrypts the secret to /run/agenix/oo7-keyring-password as the
|
|
# `primary` user, who is also the user this user-scope unit runs as.
|
|
serviceConfig.LoadCredential = [
|
|
"oo7.keyring-encryption-password:/run/agenix/oo7-keyring-password"
|
|
];
|
|
};
|
|
}
|