Simon Gardling
a5bd364ce5
oo7-daemon was running but its 'Login' keyring stayed locked because nothing supplied a master password, so libsecret clients (flare in particular) blocked indefinitely on keyring.unlock(). The upstream user unit declares ImportCredential=oo7.keyring-encryption-password which picks up matching credentials from systemd's per-service credential machinery. Wire LoadCredential=oo7.keyring-encryption-password to the agenix-decrypted secret so the daemon unlocks at session start without any prompt. The password itself is a fresh 64-byte urandom value encrypted to all desktop recipients (admin SSH key + mreow + yarn TPM identities); it's opaque to the user and never typed manually. Owner is primary so the user-scope unit's LoadCredential read works without elevating. Verified the activation script chowns the decrypted file primary:users mode 0400, the user unit override carries the LoadCredential line, and the resulting drv builds clean.
My NixOS configs ✨
Hosts
- mreow: My personal Framework 13 laptop
- yarn: Machine I usually just play games on. Boots into SteamOS-like interface.
- muffin: Homeserver, runs various services.
Desktop/Laptop
What do I use?
Browser: Firefox 🦊 (actually Zen Browser :p)
Text Editor: Doom Emacs
Terminal: ghostty
Shell: fish with the pure prompt
WM: niri
Background
- Got my background from here and used the command
magick input.png -filter Point -resize 2880x1920! output.pngto upscale it bilinearly