nixos/gcr-ssh-agent: init

Co-authored-by: lilyinstarlight <lily@lily.flowers>

doc/release-notes/rl-2511.section.md

@@ -17,6 +17,8 @@
 
 - `base16-builder` node package has been removed due to lack of upstream maintenance.
 
+- `gnome-keyring` no longer ships with an SSH agent anymore because it has been deprecated upstream. You should use `gcr_4` instead, which provides the same features. More information on why this was done can be found on [the relevant GCR upstream PR](https://gitlab.gnome.org/GNOME/gcr/-/merge_requests/67).
+
 ## Other Notable Changes {#sec-nixpkgs-release-25.11-notable-changes}
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

nixos/doc/manual/release-notes/rl-2511.section.md

@@ -38,3 +38,5 @@
 
 - `amdgpu` kernel driver overdrive mode can now be enabled by setting [hardware.amdgpu.overdrive.enable](#opt-hardware.amdgpu.overdrive.enable) and customized through [hardware.amdgpu.overdrive.ppfeaturemask](#opt-hardware.amdgpu.overdrive.ppfeaturemask).
   This allows for fine-grained control over the GPU's performance and maybe required by overclocking softwares like Corectrl and Lact. These new options replace old options such as {option}`programs.corectrl.gpuOverclock.enable` and {option}`programs.tuxclocker.enableAMD`.
+
+- [](#opt-services.gnome.gnome-keyring.enable) does not ship with an SSH agent anymore, as this is now handled by the `gcr_4` package instead of `gnome-keyring`. A new module has been added to support this, under [](#opt-services.gnome.gcr-ssh-agent.enable) (its default value has been set to [](#opt-services.gnome.gnome-keyring.enable) to ensure a smooth transition). See the [relevant upstream PR](https://gitlab.gnome.org/GNOME/gcr/-/merge_requests/67) for more details.

nixos/modules/module-list.nix

@@ -547,6 +547,7 @@
   ./services/desktops/geoclue2.nix
   ./services/desktops/gnome/at-spi2-core.nix
   ./services/desktops/gnome/evolution-data-server.nix
+  ./services/desktops/gnome/gcr-ssh-agent.nix
   ./services/desktops/gnome/glib-networking.nix
   ./services/desktops/gnome/gnome-browser-connector.nix
   ./services/desktops/gnome/gnome-initial-setup.nix

nixos/modules/services/desktops/gnome/gcr-ssh-agent.nix

@@ -0,0 +1,49 @@
+{
+  config,
+  options,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  cfg = config.services.gnome.gcr-ssh-agent;
+  opts = options.services.gnome.gcr-ssh-agent;
+  sshCfg = config.programs.ssh;
+  sshOpts = options.programs.ssh;
+in
+{
+  meta = {
+    maintainers = lib.teams.gnome.members;
+  };
+
+  options = {
+    services.gnome.gcr-ssh-agent = {
+      enable = lib.mkOption {
+        default = config.services.gnome.gnome-keyring.enable;
+        defaultText = lib.literalExpression "config.services.gnome.gnome-keyring.enable";
+        example = true;
+        description = "Whether to enable GCR SSH agent.";
+        type = lib.types.bool;
+      };
+
+      package = lib.mkPackageOption pkgs "GCR" {
+        default = [ "gcr_4" ];
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    assertions = lib.singleton {
+      assertion = !sshCfg.startAgent;
+      message = ''
+        `${sshOpts.startAgent}' (defined in ${lib.showFiles sshOpts.startAgent.files}) and `${opts.enable}' (defined in ${lib.showFiles opts.enable.files}) cannot both be enabled at the same time.
+        These options conflict because only one SSH agent can be installed at a time.'';
+    };
+
+    systemd = {
+      packages = [ cfg.package ];
+      user.services.gcr-ssh-agent.wantedBy = [ "default.target" ];
+      user.sockets.gcr-ssh-agent.wantedBy = [ "sockets.target" ];
+    };
+  };
+}