{ config, lib, ... }:

let
  cfg = config.nomarchy.system.keyring;
in
{
  config = lib.mkIf cfg.enable {
    # Auto-unlock GNOME Keyring at SDDM autologin and at login. hyprlock
    # gets the same treatment so the session keyring stays unlocked when
    # the screen lock disengages.
    security.pam.services = {
      login.enableGnomeKeyring = true;
      sddm.enableGnomeKeyring = true;
      hyprlock.enableGnomeKeyring = true;
    };

    # Run the keyring + the gcr SSH agent. Disabling `programs.ssh.startAgent`
    # ensures keys flow through the keyring's agent (so unlock-on-login
    # carries over to ssh) instead of a separate ssh-agent process.
    services.gnome.gnome-keyring.enable = true;
    services.gnome.gcr-ssh-agent.enable = true;
    programs.ssh.startAgent = lib.mkForce false;

    # Point downstream tooling at the gcr socket so `ssh` / `git` / etc.
    # find the keyring's keys without per-user shell config.
    environment.sessionVariables.SSH_AUTH_SOCK = "$XDG_RUNTIME_DIR/gcr/ssh";
  };
}