[WIP] Add support for KWallet with SDDM at login

[Copilot]

Thanks for asking me to work on this. I will get started on it and keep this PR's description up to date as I form a plan and make progress.

Original prompt

Summary

Make KWallet unlock with SDDM at login, ensure Brave uses KWallet, add autostart for kwalletd5, and refactor some inline configuration into modules (power, kwallet). The PR should apply changes to hosts/nixos/configuration.nix and hosts/nixos/home.nix, add two modules under modules/nixos (power.nix and kwallet.nix), and ensure Brave desktop launcher points to the existing ~/.local/bin/brave wrapper and kwalletd5 starts automatically for graphical sessions.

Goals

• Ensure pam_kwallet5 can use the login password by reordering PAM entries for SDDM.
• Start kwalletd5 automatically when a user logs into a graphical session (X/Wayland) via an XDG autostart desktop entry.
• Make the Brave GUI launcher use the existing ~/.local/bin/brave wrapper (which passes --password-store=kwallet).
• Factor the TLP / power management block into modules/nixos/power.nix.
• Move SDDM pam/kwallet-related configuration into modules/nixos/kwallet.nix and import it from hosts/nixos/configuration.nix.

Files to change

1. hosts/nixos/configuration.nix

• Import the two new modules and remove the inline blocks for services.tlp and the SDDM PAM environment. Replace the existing pam-block and tlp block with module imports.

Replace or add the imports section (near the top imports array) to include the new modules. Example snippet to insert into the imports list:

../../modules/nixos/power.nix
../../modules/nixos/kwallet.nix

Remove or comment out the old inline services.tlp = { ... } block and the inline environment.etc."pam.d/sddm".text block. The new modules will set the same options.

2. modules/nixos/power.nix (new file)

• Create a module that configures TLP and any power-related settings previously in configuration.nix.

{ config, pkgs, lib, ... }:

{
  options = {
    services.tlp = lib.mkOptionModule {
      options = {};
      config = { allowModules = true; };
    };
  };

  config = {
    services.tlp = {
      enable = true;
      settings = {
        CPU_SCALING_GOVERNOR_ON_AC = "performance";
        CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
        CPU_ENERGY_PERF_POLICY_ON_BAT = "power";
        CPU_ENERGY_PERF_POLICY_ON_AC = "balance_performance";
        CPU_MIN_PERF_ON_AC = 0;
        CPU_MAX_PERF_ON_AC = 100;
        CPU_MIN_PERF_ON_BAT = 0;
        CPU_MAX_PERF_ON_BAT = 20;
      };
    };
  };
}

(If you prefer a more minimal module, we can simply export the exact services.tlp set as config.services.tlp.)

3. modules/nixos/kwallet.nix (new file)

• Create a module that ensures kwallet packages are present, sets up the SDDM PAM config with correct ordering, and any kwallet-related system config.

{ config, pkgs, lib, ... }:

{
  config = {
    # Ensure kwallet packages are installed system-wide (keeps current behavior)
    environment.systemPackages = lib.mkForce (lib.concatLists [ config.environment.systemPackages (with pkgs; [ kdePackages.kwallet kdePackages.kwallet-pam ]) ]);

    # SDDM PAM: put pam_unix before pam_kwallet5 so try_first_pass works
    environment.etc."pam.d/sddm".text = ''
# This file was generated by your Nix config. If you need to revert, remove this
# environment.etc entry and rebuild. Ensure your login password matches your
# KWallet password before enabling.

# SDDM PAM config with kwallet-pam integration. pam_unix runs first so
# pam_kwallet5 can use try_first_pass.
auth    required    pam_unix.so
auth    optional    pam_kwallet5.so try_first_pass
account required    pam_unix.so
password required   pam_unix.so
session required    pam_unix.so
session optional    pam_kwallet5.so auto_start
'';
  };
}

Notes: Because Nix merges environment.systemPackages lists, the module uses lib.concatLists to ensure kdePackages.kwallet and kdePackages.kwallet-pam are present. If this seems heavy-handed we can instead add a comment to leave the existing installs in configuration.nix.

4. hosts/nixos/home.nix

• Ensure kwalletd5 autostarts and the Brave desktop entry uses your wrapper (~/.local/bin/brave). The repo already has a brave wrapper in ~/.local/bin; keep it but add autostart and an override desktop file.

Add the following entries in home.file or append them to the existing home.file entries:

# Autostart kwalletd5
home.file.".config/autostart/kwalletd5.desktop".text = ''
[Desktop Entry]
Type=Application
Exec=/run/current-system/sw/bin/kwalletd5
Hidden=false
X-GNOME-Autostart-enabled=true
Name=KWallet Daemon
Comment=Start KWallet daemon
'';

# Ensure GUI launcher uses wrapper
home.file.".local/share/applications/brave-browser.desktop".text = ''
[Desktop Entry]
Type=Application
Name=Brave Browser
Exec=$HOME/.local/bin/brave %U
Icon=brave
Terminal=false
Categories=Network;WebBrowser;
'';
home.file.".local/share/applications/brave-browser.desktop".mode = "0644";

Implementation details / rationale

• pam_kwallet5 needs the user pass...

This pull request was created from Copilot chat.

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.