services: kwallet: New service.

Change-Id: I1330ce5e1648a8ddf6ddd507255a73335d6baa51
Signed-off-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>

2 files changed, 104 insertions, 0 deletions

diff --git a/doc/guix.texi b/doc/guix.texi
index dd3ee544b8..14d3d1206b 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -138,6 +138,7 @@ Copyright @copyright{} 2024 45mg@*
 Copyright @copyright{} 2025 Sören Tempel@*
 Copyright @copyright{} 2025 Rostislav Svoboda@*
 Copyright @copyright{} 2025 Zacchaeus@*
+Copyright @copyright{} 2025 Sergio Pastor Pérez@*
 
 Permission is granted to copy, distribute and/or modify this document
 under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -27135,6 +27136,46 @@ and ``passwd'' is with the value @code{passwd}.
 @end table
 @end deftp
 
+@defvar kwallet-service-type
+This is the type of the service that adds the
+@uref{https://invent.kde.org/plasma/kwallet-pam, KWallet keyring}.  Its
+value is a @code{kwallet-configuration} object (see below).  Note that,
+contrary to @code{gnome-desktop-service-type}, which includes the
+respective keyring for that service, @code{gnome-keyring-service-type},
+@code{plasma-desktop-service-type} does not include
+@code{kwallet-service-type}.
+
+This service adds the @code{kwallet-pam} package to the system profile
+and extends PAM with entries using @code{pam_kwallet5.so}.  It can
+unlock the user's login keyring or set their password with
+@command{passwd} at the time they log in.
+@end defvar
+
+@deftp {Data Type} kwallet-configuration
+Configuration record for the KWallet Keyring service.
+
+@table @asis
+@item @code{keyring} (default: @code{kwallet-pam})
+The KWallet keyring package to use.
+
+@item @code{pam-services}
+A list of @code{(@var{service} . @var{kind})} pairs denoting PAM
+services to extend, where @var{service} is the name of an existing
+service to extend and @var{kind} is one of @code{login} or @code{passwd}
+symbols.
+
+If @code{login} is given, it adds an optional
+@code{pam_kwallet5.so} to the auth block without arguments and to
+the session block with @code{auto_start}.  If @code{passwd} is given, it
+adds an optional @code{pam_kwallet5.so} to the password block
+without arguments.
+
+By default, it takes for value an alist associating the @code{"sddm"}
+key with the @code{'login} value, and the @code{"passwd"} key with the
+@code{'passwd} value.
+@end table
+@end deftp
+
 @defvar seatd-service-type
 @uref{https://sr.ht/~kennylevinsen/seatd/, seatd} is a minimal seat
 management daemon.
diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
index a586746cc5..2127c2d389 100644
--- a/gnu/services/desktop.scm
+++ b/gnu/services/desktop.scm
@@ -20,6 +20,7 @@
 ;;; Copyright © 2024 45mg <45mg.writes@gmail.com>
 ;;; Copyright © 2024 Raven Hallsby <karl@hallsby.com>
 ;;; Copyright © 2025 Jonathan Brielmaier <jonathan.brielmaier@web.de>
+;;; Copyright © 2025 Sergio Pastor Pérez <sergio.pastorperez@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -197,6 +198,10 @@
             gnome-keyring-configuration?
             gnome-keyring-service-type
 
+            kwallet-configuration
+            kwallet-configuration?
+            kwallet-service-type
+
             seatd-configuration
             seatd-service-type
 
@@ -2148,6 +2153,64 @@ profile, and extends dbus with the ability for @code{efl} to generate
 thumbnails and privileges the programs which enlightenment needs to function
 as expected.")))
 
+
+;;;
+;;; kwallet-service-type.
+;;;
+
+(define-record-type* <kwallet-configuration> kwallet-configuration
+  make-kwallet-configuration
+  kwallet-configuration?
+  (wallet kwallet-package (default kwallet-pam))
+  (pam-services kwallet-pam-services (default '(("sddm" . login)
+                                                ("passwd" . passwd)))))
+
+(define (pam-kwallet config)
+  "Return a PAM extension for KWallet."
+  (match config
+    (#f '())                          ;explicitly disabled by user
+    (_
+     (define (%pam-keyring-entry . arguments)
+       (pam-entry
+        (control "optional")
+        (module (file-append (kwallet-package config)
+                             "/lib/security/pam_kwallet5.so"))
+        (arguments arguments)))
+
+     (list
+      (pam-extension
+       (transformer
+        (lambda (service)
+          (case (assoc-ref (kwallet-pam-services config)
+                           (pam-service-name service))
+            ((login)
+             (pam-service
+              (inherit service)
+              (auth (append (pam-service-auth service)
+                            (list (%pam-keyring-entry))))
+              (session (append (pam-service-session service)
+                               (list (%pam-keyring-entry "auto_start"))))))
+            ((passwd)
+             (pam-service
+              (inherit service)
+              (password (append (pam-service-password service)
+                                (list (%pam-keyring-entry))))))
+            (else service)))))))))
+
+;; TODO: consider integrating service in `<plasma-desktop-configuration>' as
+;; done in `<gnome-desktop-configuration>'. This requires rewritting the
+;; `<plasma-desktop-service-type>' as done for `<gnome-desktop-service-type>'.
+(define kwallet-service-type
+  (service-type
+   (name 'kwallet)
+   (extensions (list
+                (service-extension pam-root-service-type pam-kwallet)))
+   (default-value (kwallet-configuration))
+   (description "Return a service that extends PAM with entries using
+@code{pam_kwallet5.so}, unlocking the user's login keyring when they log in or
+setting its password with @command{passwd}.")))
+
+
 ;;;
 ;;; KDE Plasma desktop service.
 ;;;