services: Integrate gnome-keyring service in gnome-desktop service.

Previous to this change, GNOME users would have to manually add the
gnome-keyring-service-type to their services to have a default login keyring
created and unlocked at login time.  Some applications depend on a default
keyring being available, prompt repeatedly for it, which is confusing and
doesn't match user expectations, given most distributions use the GNOME
keyring pam module to unlock the login keyring by default.

* doc/guix.texi (Desktop Services): Update doc.
* gnu/services/desktop.scm (<gnome-keyring-configuration>): Move above
gnome-desktop-service-type, and streamline description.
(pam-gnome-keyring): Return the empty list when CONFIG is #f.
(gnome-desktop-configuration) [keyring]: New field.

Change-Id: Ica26c1e1b85a038c1187edfb3ec3691fcd429641
Reviewed-by: Liliana Marie Prikler <[email protected]>

1 files changed, 73 insertions, 52 deletions

diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
index ee05bd98db..71d650e14f 100644
--- a/gnu/services/desktop.scm
+++ b/gnu/services/desktop.scm
@@ -154,6 +154,7 @@
             gnome-desktop-configuration-extra-packages
             gnome-desktop-configuration-polkit-ignorelist
             gnome-desktop-configuration-udev-ignorelist
+            gnome-desktop-configuration-keyring
             gnome-desktop-service
             gnome-desktop-service-type
 
@@ -1471,6 +1472,65 @@ rules.")
           (service-extension account-service-type
                              (const %sane-accounts))))))
 
+
+;;;
+;;; gnome-keyring-service-type
+;;;
+
+(define-record-type* <gnome-keyring-configuration> gnome-keyring-configuration
+  make-gnome-keyring-configuration
+  gnome-keyring-configuration?
+  (keyring gnome-keyring-package (default gnome-keyring))
+  (pam-services gnome-keyring-pam-services (default '(("gdm-password" . login)
+                                                      ("passwd" . passwd)))))
+
+(define (pam-gnome-keyring config)
+  ;; CONFIG may be either a <gnome-desktop-configuration> or a
+  ;; <gnome-keyring-configuration>> record, when using the
+  ;; gnome-keyring-service-type on its own.
+  (let ((config (if (gnome-desktop-configuration? config)
+                    (gnome-desktop-configuration-keyring
+                     config)
+                    config)))
+    (match config
+      (#f '())                          ;explicitly disabled by user
+      (_
+       (define (%pam-keyring-entry . arguments)
+         (pam-entry
+          (control "optional")
+          (module (file-append (gnome-keyring-package config)
+                               "/lib/security/pam_gnome_keyring.so"))
+          (arguments arguments)))
+
+       (list
+        (pam-extension
+         (transformer
+          (lambda (service)
+            (case (assoc-ref (gnome-keyring-pam-services config)
+                             (pam-service-name service))
+              ((login)
+               (pam-service
+                (inherit service)
+                (auth (append (pam-service-auth service)
+                              (list (%pam-keyring-entry))))
+                (session (append (pam-service-session service)
+                                 (list (%pam-keyring-entry "auto_start"))))))
+              ((passwd)
+               (pam-service
+                (inherit service)
+                (password (append (pam-service-password service)
+                                  (list (%pam-keyring-entry))))))
+              (else service))))))))))
+
+(define gnome-keyring-service-type
+  (service-type
+   (name 'gnome-keyring)
+   (extensions (list
+                (service-extension pam-root-service-type pam-gnome-keyring)))
+   (default-value (gnome-keyring-configuration))
+   (description "Return a service, that extends PAM with entries using
+@code{pam_gnome_keyring.so}, unlocking a user's login keyring when they log in
+or setting its password with passwd.")))
 
 
 ;;;
@@ -1479,6 +1539,10 @@ rules.")
 
 (define-maybe/no-serialization package)
 
+(define (gnome-keyring-configuration-or-#f? value)
+  (or (gnome-keyring-configuration? value)
+      (not value)))
+
 (define (extract-propagated-inputs package)
   ;; Drop input labels.  Attempt to support outputs.
   (map
@@ -1515,7 +1579,13 @@ are installed.")
    (list-of-strings '())
    "A list of regular expressions denoting polkit rules provided by any package
 that should not be installed.  By default, every polkit rule added by any package
-referenced in the other fields are installed."))
+referenced in the other fields are installed.")
+  (keyring
+   (gnome-keyring-configuration-or-#f (gnome-keyring-configuration))
+   "A <gnome-keyring-configuration> record used to better integrate the GNOME
+keyring with the system.  Refer to the documentation of the
+@code{gnome-keyring-service-type} for more information.  If you'd rather avoid
+integrating the GNOME keyring, you can set this to @code{#f}."))
 
 (define (gnome-package gnome name)
   "Return the package NAME among the GNOME package inputs.  NAME can be a
@@ -1636,6 +1706,8 @@ CONFIG, a <gnome-desktop-configuration> object."
    (extensions
     (list (service-extension udev-service-type
                              gnome-udev-configuration-files)
+          (service-extension pam-root-service-type
+                             pam-gnome-keyring)
           (service-extension polkit-service-type
                              gnome-polkit-settings)
           (service-extension privileged-program-service-type
@@ -1974,57 +2046,6 @@ dispatches events from it.")))
 
 
 ;;;
-;;; gnome-keyring-service-type
-;;;
-
-(define-record-type* <gnome-keyring-configuration> gnome-keyring-configuration
-  make-gnome-keyring-configuration
-  gnome-keyring-configuration?
-  (keyring gnome-keyring-package (default gnome-keyring))
-  (pam-services gnome-keyring-pam-services (default '(("gdm-password" . login)
-                                                      ("passwd" . passwd)))))
-
-(define (pam-gnome-keyring config)
-  (define (%pam-keyring-entry . arguments)
-    (pam-entry
-     (control "optional")
-     (module (file-append (gnome-keyring-package config)
-                          "/lib/security/pam_gnome_keyring.so"))
-     (arguments arguments)))
-
-  (list
-   (pam-extension
-    (transformer
-     (lambda (service)
-       (case (assoc-ref (gnome-keyring-pam-services config)
-                        (pam-service-name service))
-         ((login)
-          (pam-service
-           (inherit service)
-           (auth (append (pam-service-auth service)
-                         (list (%pam-keyring-entry))))
-           (session (append (pam-service-session service)
-                            (list (%pam-keyring-entry "auto_start"))))))
-         ((passwd)
-          (pam-service
-           (inherit service)
-           (password (append (pam-service-password service)
-                             (list (%pam-keyring-entry))))))
-         (else service)))))))
-
-(define gnome-keyring-service-type
-  (service-type
-   (name 'gnome-keyring)
-   (extensions (list
-                (service-extension pam-root-service-type pam-gnome-keyring)))
-   (default-value (gnome-keyring-configuration))
-   (description "Return a service, that adds the @code{gnome-keyring} package
-to the system profile and extends PAM with entries using
-@code{pam_gnome_keyring.so}, unlocking a user's login keyring when they log in
-or setting its password with passwd.")))
-
-
-;;;
 ;;; polkit-wheel-service -- Allow wheel group to perform admin actions
 ;;;