{ lib, pkgs, ... }:
let
  inherit (lib.modules) mkForce;
in
{
  security = {
    # Enable Soteria, a GTK-based Polkit authentication agent.
    soteria.enable = true;
    apparmor = {
      enable = true;
      killUnconfinedConfinables = true;
      packages = [ pkgs.apparmor-profiles ];
    };

    pam.services.login.enableGnomeKeyring = true;

    wrappers.gnome-keyring-daemon = {
      owner = "root";
      group = "root";
      capabilities = "cap_ipc_lock=ep";
      source = "${pkgs.gnome-keyring}/bin/gnome-keyring-daemon";
    };
  };
  services = {
    dbus.packages = [
      pkgs.gnome-keyring
    ];
    gnome.gcr-ssh-agent.enable = mkForce false;
  };
  xdg.portal.extraPortals = [
    pkgs.gnome-keyring
  ];
  environment.systemPackages = [
    pkgs.gnome-keyring
  ];
}