Xinit workflow with NetworkManager/GnomeKeyring

Help
1

Hello! :smile: I can’t seem to get NetworkManager to use GnomeKeyring when not using any display manager for login.

I’ve tried all variations of starting up D-Bus, initializing GnomeKeyring components, etc. in my ~/.xinitrc and also via the programs.bash.loginShellInit option in my configuration.nix. I feel like I have all the required programs running, with the correct environment, etc. but NetworkManager refuses to store my passwords through the keyring (instead storing them in files-per-SSID under /etc/NetworkManager/system-connections).

I’ve also made sure I’ve un-ticked the option to have the connection available to all users via nmtui-edit, or on activating the connection nmcli device wifi connect foo password bar private yes.

My current setup is:

In my configuration.nix:

  services.gnome3.gnome-keyring.enable = true;
  # Not necessary, but helpful for checking if the keyring is named correctly
  # (we expect "login"), and that it is unlocked. 
  services.gnome3.seahorse.enable = true;

  security.pam.services.login = {
    allowNullPassword = true;
    setEnvironment = true;
    setLoginUid = true;
    startSession = true;
    unixAuth = true;
    updateWtmp = true;

    # Unlock keyring on login.
    enableGnomeKeyring = true;
  };

In my ~/.xinitrc:

# Start D-Bus if it isn't already started.
# https://nurdletech.com/linux-notes/agents/keyring.html#dbus.
if [[ -z "$DBUS_SESSION_BUS_ADDRESS" ]]; then
    eval "$(/run/current-system/sw/bin/dbus-launch --sh-syntax --exit-with-session)"
    export DBUS_SESSION_BUS_ADDRESS
fi

# https://wiki.archlinux.org/index.php/GNOME/Keyring#xinitrc_method.
# By default this starts: pkcs11, secrets, ssh.
eval "$(/run/current-system/sw/bin/gnome-keyring-daemon --start)"
export SSH_AUTH_SOCK

Workflow:

  • Login, startx and open up a terminal.
  • ps fx shows me D-Bus, GnomeKeyring are both running.
  • echo $DBUS_SESSION_BUS_ADDRESS and $SSH_AUTH_SOCK give me valid values.
  • seahorse shows the expected keyring login, unlocked.
  • Delete the connection - nmcli connection delete foo.
  • Re-connect, enabling the connection only for my user (as mentioned above).
  • Login as root and check /etc/NetworkManager/system-connections/foo to find that my connection password is in plain text. :cry:

I would greatly appreciate any pointers/help! Judging from the Arch wiki and other resources this is something that can be particularly finicky to get working…