How do I add pam_kwallet5.so to /etc/pam.d/sddm?

Help
1

Hi

I’m still dealing with problems from trying to use KWallet with Hyprland (see https://discourse.nixos.org/t/hyprland-with-uwsm-no-secret-service-available-on-login-kwallet-is-installed-but-it-wont-start-and-autounlock/).

KWallet will not auto-unlock when logging (SDDM) into Hyprland (managed with UWSM). I was reading the Arch Wiki and it says that adding pam_kwallet5.so should not be necessary because SDDM already have the entries.

Well, checking the file, I see that’s not the case in NixOS:

───────┬───────────────────────────────────────────────────────────────────────────────────
       │ File: /etc/pam.d/sddm
───────┼───────────────────────────────────────────────────────────────────────────────────
   1   │ auth      substack      login
   2   │ account   include       login
   3   │ password  substack      login
   4   │ session   include       login
───────┴───────────────────────────────────────────────────────────────────────────────────

The one that has them is /etc/pam.d/kde!

So I tried adding the entries with this:

    security.pam.services.sddm.kwallet = {
      enable = true;
    };

But I check, and still nothing; the files stay the same :(. Please help me! I’m tired of having to log into all my accounts after entering Hyprland for every reboot!

2

This works for me with KDE:

  security.pam.services = {
    sddm-autologin.text = lib.mkForce ''
      auth     requisite pam_nologin.so
      auth     optional  ${config.systemd.package}/lib/security/pam_systemd_loadkey.so
      auth     optional  ${pkgs.kdePackages.kwallet-pam}/lib/security/pam_kwallet5.so
      auth     optional  ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so
      auth     required  pam_succeed_if.so uid >= ${toString config.services.displayManager.sddm.autoLogin.minimumUid} quiet
      auth     required  pam_permit.so
      account  include   sddm
      password include   sddm
      session  include   sddm
    '';
  };
1 Like
3

so you copied the original content, added your entries in the corresponding place and use that as value?

4

I just enabled GDM. That was my “solution”

Edit March 6th, 2026:

okay, I’m editing this post to explain the “true” solution. Basically turning off KWallet and enabling gnome-keyring:

2 files changed, 34 insertions(+), 9 deletions(-)
homes/woody/home.nix                 | 19 +++++++++++--------
system/hosts/woody/configuration.nix | 24 +++++++++++++++++++++++-

modified   homes/woody/home.nix
@@ -78,14 +78,17 @@
   };
 
   # deshabilita KWallet para que gnome-keyring sea el unico proveedor de secretos
-  xdg.configFile."kwalletrc".text = lib.concatStringsSep "\n" [
-    "[Wallet]"
-    "Enabled=false"
-    "First Use=false"
-    ""
-    "[org.freedesktop.secrets]"
-    "apiEnabled=false"
-  ];
+  xdg.configFile."kwalletrc" = {
+    force = true; # sobreescribe el archivo que KDE Plasma crea al iniciar sesion
+    text = lib.concatStringsSep "\n" [
+      "[Wallet]"
+      "Enabled=false"
+      "First Use=false"
+      ""
+      "[org.freedesktop.secrets]"
+      "apiEnabled=false"
+    ];
+  };
 
   gtk = {
     enable = true;
modified   system/hosts/woody/configuration.nix
@@ -214,6 +214,26 @@ in
   # gnome-keyring como servicio de secretos compartido entre Hyprland y KDE
   services.gnome.gnome-keyring.enable = true;
 
+  # enruta el portal de secretos a gnome-keyring para TODOS los entornos de escritorio,
+  # incluyendo Hyprland y KDE (que por defecto usa kwallet)
+  xdg.portal.config = {
+    hyprland = {
+      default = [
+        "hyprland"
+        "gtk"
+      ];
+      "org.freedesktop.impl.portal.Secret" = [ "gnome-keyring" ];
+    };
+    kde = {
+      default = [ "kde" ];
+      "org.freedesktop.impl.portal.Settings" = [
+        "kde"
+        "gtk"
+      ];
+      "org.freedesktop.impl.portal.Secret" = [ "gnome-keyring" ];
+    };
+  };
+
   # habilita hyprland
   programs.hyprland = {
     enable = true;
@@ -479,7 +499,9 @@ in
     bindfs
     blender-hip
     bottles
-    vivaldi
+    (vivaldi.override {
+      commandLineArgs = "--password-store=gnome-libsecret";
+    })
     vivaldi-ffmpeg-codecs
 
     rustdesk

I’m forcing Vivaldi to use gnome-libsecret for storing its secrets since gnome-keyring is enabled system-wide. I’m also using home-manager to tweak the XDG portal.