From eef4d78cb37678070f9afe8ed1e15b65109804af Mon Sep 17 00:00:00 2001
From: Evan Reichard <evan@reichard.io>
Date: Mon, 27 Apr 2026 23:02:22 -0400
Subject: [PATCH] feat(home): add pass-backed keyring module and enable for
 work VM

- Add modules/home/security/pass-keyring with GPG agent, pass, and
  python keyring backend config for headless credential storage
- Enable pass-keyring for lin-va-mbp-work-vm
- Update bash PATH from ~/.bin to ~/.local/bin
---
 .../default.nix                               |  1 +
 .../home/programs/terminal/bash/default.nix   |  2 +-
 .../home/security/pass-keyring/default.nix    | 40 +++++++++++++++++++
 3 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 modules/home/security/pass-keyring/default.nix

diff --git a/homes/aarch64-linux/evanreichard@lin-va-mbp-work-vm/default.nix b/homes/aarch64-linux/evanreichard@lin-va-mbp-work-vm/default.nix
index f28ac82..ba0de49 100755
--- a/homes/aarch64-linux/evanreichard@lin-va-mbp-work-vm/default.nix
+++ b/homes/aarch64-linux/evanreichard@lin-va-mbp-work-vm/default.nix
@@ -20,6 +20,7 @@ in
     };
 
     security = {
+      pass-keyring = enabled;
       sops = enabled;
     };
 
diff --git a/modules/home/programs/terminal/bash/default.nix b/modules/home/programs/terminal/bash/default.nix
index 70dc5ea..cd92db7 100755
--- a/modules/home/programs/terminal/bash/default.nix
+++ b/modules/home/programs/terminal/bash/default.nix
@@ -34,7 +34,7 @@ in
       profileExtra = ''
         export COLORTERM=truecolor
         SHELL="$BASH"
-        PATH=~/.bin:$PATH
+        PATH=~/.local/bin:$PATH
         bind "set show-mode-in-prompt on"
 
         set -o vi || true
diff --git a/modules/home/security/pass-keyring/default.nix b/modules/home/security/pass-keyring/default.nix
new file mode 100644
index 0000000..a632442
--- /dev/null
+++ b/modules/home/security/pass-keyring/default.nix
@@ -0,0 +1,40 @@
+{ config
+, lib
+, namespace
+, pkgs
+, ...
+}:
+let
+  inherit (lib) mkIf mkEnableOption;
+
+  cfg = config.${namespace}.security.pass-keyring;
+in
+{
+  options.${namespace}.security.pass-keyring = {
+    enable = mkEnableOption "Enable pass-backed keyring";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = [ pkgs.pass ];
+
+    # GPG + Pass Keyring - Provides credential storage for CLI
+    # tools (e.g. python keyring) via pass (GPG-backed). The
+    # keyringrc.cfg forces keyring to use the pass backend instead
+    # of SecretService (which requires a working D-Bus provider).
+    programs.gpg.enable = true;
+    services.gpg-agent = {
+      enable = true;
+      enableBashIntegration = true;
+      pinentry.package = pkgs.pinentry-curses;
+      defaultCacheTtl = 86400; # 24 hours
+      maxCacheTtl = 604800; # 7 days
+    };
+
+    # Keyring Backend Config - Forces keyring to use the pass
+    # backend instead of SecretService (broken on headless Linux).
+    xdg.configFile."python_keyring/keyringrc.cfg".text = ''
+      [backend]
+      default-keyring=keyring_pass.PasswordStoreBackend
+    '';
+  };
+}