Simon Gardling
95968f6b47
oo7-daemon was running but its 'Login' keyring stayed locked because nothing supplied a master password, so libsecret clients (flare in particular) blocked indefinitely on keyring.unlock(). The upstream user unit declares ImportCredential=oo7.keyring-encryption-password which picks up matching credentials from systemd's per-service credential machinery. Wire LoadCredential=oo7.keyring-encryption-password to the agenix-decrypted secret so the daemon unlocks at session start without any prompt. The password itself is a fresh 64-byte urandom value encrypted to all desktop recipients (admin SSH key + mreow + yarn TPM identities); it's opaque to the user and never typed manually. Owner is primary so the user-scope unit's LoadCredential read works without elevating. Verified the activation script chowns the decrypted file primary:users mode 0400, the user unit override carries the LoadCredential line, and the resulting drv builds clean.
45 lines
1.9 KiB
Nix
45 lines
1.9 KiB
Nix
# oo7-daemon — the pure-Rust implementation of the org.freedesktop.secrets
|
|
# (libsecret) D-Bus interface, written by the same project that ships the
|
|
# `oo7` Rust crate that flare uses internally.
|
|
#
|
|
# Without a secret-service provider on the bus, flare's `oo7::Keyring::new()`
|
|
# call fails immediately at startup ("The communication with libsecret
|
|
# failed"). Most NixOS desktops solve this by enabling
|
|
# `services.gnome.gnome-keyring.enable`, but that drags GNOME plumbing
|
|
# we don't otherwise want; oo7-daemon is the lightweight match for niri
|
|
# desktops.
|
|
#
|
|
# The `oo7-server` package ships:
|
|
# - libexec/oo7-daemon (the binary)
|
|
# - share/dbus-1/services/org.freedesktop.secrets.service
|
|
# - share/systemd/user/oo7-daemon.service
|
|
#
|
|
# We register both with NixOS and start the daemon at user login so
|
|
# libsecret clients can find the bus name without depending on D-Bus
|
|
# auto-activation. We also alias the unit as
|
|
# `dbus-org.freedesktop.secrets.service` so D-Bus activation falls back
|
|
# to it cleanly when the daemon has not been started yet (e.g. inside a
|
|
# fresh `systemd-run --user` scope).
|
|
|
|
{ pkgs, ... }:
|
|
{
|
|
environment.systemPackages = [ pkgs.oo7-server ];
|
|
|
|
services.dbus.packages = [ pkgs.oo7-server ];
|
|
systemd.packages = [ pkgs.oo7-server ];
|
|
|
|
systemd.user.services.oo7-daemon = {
|
|
wantedBy = [ "default.target" ];
|
|
aliases = [ "dbus-org.freedesktop.secrets.service" ];
|
|
# Feed the keyring master password through systemd's credential
|
|
# machinery. The upstream unit declares
|
|
# `ImportCredential=oo7.keyring-encryption-password`, which picks up
|
|
# whatever LoadCredential leaves under $CREDENTIALS_DIRECTORY. agenix
|
|
# decrypts the secret to /run/agenix/oo7-keyring-password as the
|
|
# `primary` user, who is also the user this user-scope unit runs as.
|
|
serviceConfig.LoadCredential = [
|
|
"oo7.keyring-encryption-password:/run/agenix/oo7-keyring-password"
|
|
];
|
|
};
|
|
}
|