From d3d08aa4af6d8961913e69b535abe457037bda0f Mon Sep 17 00:00:00 2001
From: Bloxx12 <charlie@charlieroot.dev>
Date: Fri, 25 Jul 2025 16:55:16 +0200
Subject: [PATCH] security: switch to gnome-keyring instead of kwallet.

gnome-keyring seems to be more reliable in the long term
I only have to force disable gcr, which it ships with it.
---
 modules/system/os/security/security.mod.nix | 39 ++++++++++++---------
 1 file changed, 22 insertions(+), 17 deletions(-)

diff --git a/modules/system/os/security/security.mod.nix b/modules/system/os/security/security.mod.nix
index 0525506..4c3175a 100644
--- a/modules/system/os/security/security.mod.nix
+++ b/modules/system/os/security/security.mod.nix
@@ -1,4 +1,7 @@
-{ pkgs, ... }:
+{ lib, pkgs, ... }:
+let
+  inherit (lib.modules) mkForce;
+in
 {
   security = {
     # Enable Soteria, a GTK-based Polkit authentication agent.
@@ -9,23 +12,25 @@
       packages = [ pkgs.apparmor-profiles ];
     };
 
-    pam.services = {
-      login.kwallet = {
-        enable = true;
-        # package = pkgs.kdePackages.kwallet-pam;
-      };
-      niri = {
-        allowNullPassword = true;
-        kwallet = {
-          enable = true;
-          package = pkgs.kdePackages.kwallet-pam;
-        };
-      };
+    pam.services.login.enableGnomeKeyring = true;
+
+    wrappers.gnome-keyring-daemon = {
+      owner = "root";
+      group = "root";
+      capabilities = "cap_ipc_lock=ep";
+      source = "${pkgs.gnome-keyring}/bin/gnome-keyring-daemon";
     };
   };
-  environment.systemPackages = with pkgs.kdePackages; [
-    kwallet # provides helper service
-    kwallet-pam # provides helper service
-    kwalletmanager # provides KCMs and stuff
+  services = {
+    dbus.packages = [
+      pkgs.gnome-keyring
+    ];
+    gnome.gcr-ssh-agent.enable = mkForce false;
+  };
+  xdg.portal.extraPortals = [
+    pkgs.gnome-keyring
+  ];
+  environment.systemPackages = [
+    pkgs.gnome-keyring
   ];
 }