security: switch to gnome-keyring instead of kwallet.

gnome-keyring seems to be more reliable in the long term I only have to force disable gcr, which it ships with it.
2025-07-25 16:55:16 +02:00 · 2025-07-25 16:55:16 +02:00 · d3d08aa4af
commit d3d08aa4af
parent cc9735063b
1 changed files with 22 additions and 17 deletions
--- a/modules/system/os/security/security.mod.nix
+++ b/modules/system/os/security/security.mod.nix
@ -1,4 +1,7 @@
-{ pkgs, ... }:
+{ lib, pkgs, ... }:
 let
  inherit (lib.modules) mkForce;
 in
 {
  security = {
    # Enable Soteria, a GTK-based Polkit authentication agent.
@ -9,23 +12,25 @@
      packages = [ pkgs.apparmor-profiles ];
    };
-    pam.services = {
+    pam.services.login.enableGnomeKeyring = true;
-      login.kwallet = {
+
-        enable = true;
+    wrappers.gnome-keyring-daemon = {
-        # package = pkgs.kdePackages.kwallet-pam;
+      owner = "root";
-      };
+      group = "root";
-      niri = {
+      capabilities = "cap_ipc_lock=ep";
-        allowNullPassword = true;
+      source = "${pkgs.gnome-keyring}/bin/gnome-keyring-daemon";
        kwallet = {
          enable = true;
          package = pkgs.kdePackages.kwallet-pam;
        };
      };
    };
  };
-  environment.systemPackages = with pkgs.kdePackages; [
+  services = {
-    kwallet # provides helper service
+    dbus.packages = [
-    kwallet-pam # provides helper service
+      pkgs.gnome-keyring
-    kwalletmanager # provides KCMs and stuff
+    ];
    gnome.gcr-ssh-agent.enable = mkForce false;
  };
  xdg.portal.extraPortals = [
    pkgs.gnome-keyring
  ];
  environment.systemPackages = [
    pkgs.gnome-keyring
  ];
 }