From 670f21526cae8c1d3c0a2e875fcb489b50f521e4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=C3=A4tzold?= <obel1x@web.de>
Date: Sun, 29 Mar 2026 12:39:36 +0200
Subject: [PATCH] KWallet-Service Setup introduced

---
 client_software/0010_kwallet/install.sh       | 109 ++++++++++++++++++
 client_software/0010_kwallet/kdewallet.kwl    | Bin 0 -> 148 bytes
 client_software/0010_kwallet/kdewallet.salt   |   1 +
 client_software/0010_kwallet/kwalletrc        |  15 +++
 .../0010_kwallet/qbus_wallet_exec.sh          |  43 +++++++
 system_setup/logon_script.sh                  |  10 +-
 system_setup/sync_client_software.sh          |   2 +
 7 files changed, 176 insertions(+), 4 deletions(-)
 create mode 100755 client_software/0010_kwallet/install.sh
 create mode 100644 client_software/0010_kwallet/kdewallet.kwl
 create mode 100644 client_software/0010_kwallet/kdewallet.salt
 create mode 100644 client_software/0010_kwallet/kwalletrc
 create mode 100755 client_software/0010_kwallet/qbus_wallet_exec.sh

diff --git a/client_software/0010_kwallet/install.sh b/client_software/0010_kwallet/install.sh
new file mode 100755
index 0000000..782b4e5
--- /dev/null
+++ b/client_software/0010_kwallet/install.sh
@@ -0,0 +1,109 @@
+#!/usr/bin/env sh
+# SPDX-FileCopyrightText: Daniel Pätzold
+# SPDX-License-Identifier: AGPL-3.0-or-later
+#
+# Kwallet Setup to Secure Directory
+#
+# Kwallet will be used for storing passwords for most KDE- Applications, like for Nextcloud- Client, Talk app and many more.
+# Usually Kwallet will ask for a password to have good security in your encrypted file, but this will make Logon non Interactive and is annoying for the user.
+# Or, even worse, the first time you logon, the wallet will be created with your current password. But when it changes on the Domain, after new logon you will be asked
+# and you must enter the OLD password, breaking all apps, that are needing password if the old password was lost. This is a very bad situation.
+# Instead we will check to have the Passwords opened without a seperate password set, but to have them encrypted at a secure place by the domain-encryption.
+#
+# Basically, this script checks, if the Walletfile can be used without password and if it is located in the encrypted directory for security.
+# Otherwise it will setup a the Walletfile into the encrypted Data-Directory and make it useable.
+#
+echo "Setup KWallet Password- Service."
+
+#Check for root
+if [ "$EUID" -ne 0 ]; then
+    echo "Error: Script requires root. Please check if ${SCRIPTPATH}/${SCRIPTNAME} is in sudoers rules and if you are a member. And if executed via sudo."
+    exit 1
+fi
+
+#Check Token
+if [ "${DAVTOKEN_USER}." == "." ]; then
+    echo "Error: Script cannot be executed standalone and needs a prereserved Environment. Quit."
+    exit 1
+fi
+
+#Local Vars
+#SYNCCMD="$BASECMD --userid ${DAVTOKEN_USER} --apppassword ${DAVTOKEN_PASS} --localdirpath ${CLIENT_DATA_DST} --remotedirpath ${CLIENT_DATA_SRC} --serverurl https://${SERVERFQDN_NC}"
+#SYNCCMD_HIDDENPW=$( echo "${SYNCCMD/${DAVTOKEN_PASS}/***HIDDEN***}" )
+WALLETNAME="kdewallet"
+WALLETFILE="${WALLETNAME}.kwl"
+WALLETPATH="${DECRYPTEDDATADIR}/kwallet"
+WALLETPATH_CFG="$SUDO_HOME/.local/share/kwalletd"
+
+# At the start of this script, the local wallet-directory should be empty and the encrpted directory should be mount to that path
+# if thats not the case, will will move the files an configure them
+
+# Stop the daemon anyway if running
+WALLET_PID=$( pgrep -u $USER kwalletd6 )
+if [[ ! -z ${WALLET_PID} ]]; then
+  kill ${WALLET_PID} && sleep 0.5
+  if [[ $? -ne 0 ]]; then
+    echo "Kwallet Service could not be stopped, please check why."
+    exit 1
+  fi
+fi
+
+#Check for existing legacy wallets: should be empty. Otherwise: move them.
+umount ${WALLETPATH_CFG} >/dev/null 2>&1
+PATTERN=(${WALLETPATH_CFG}/*.kwl)
+if [ -f ${PATTERN[0]} ]; then
+  mv ${WALLETPATH_CFG}/*.* ${WALLETPATH}
+  if [[ $? -ne 0 ]]; then
+    echo "Legacy wallets could not be moved, please do that manually:"
+    echo "Move ${WALLETPATH_CFG}/*.kwl to ${WALLETPATH}"
+    exit 1
+  fi
+else
+  echo "Found no legacy Files in ${WALLETPATH_CFG}, no migration needed."
+fi
+
+#Always restore configuration with defaults
+cp -f kwalletrc $HOME/.config/
+
+#Bind mount secure folder to wallet directory
+echo "Mounting secure ${WALLETPATH} to wallet-directory ${WALLETPATH_CFG}"
+mount --bind ${WALLETPATH} ${WALLETPATH_CFG}
+if [[ $? -ne 0 ]]; then
+  echo "Error bind mounting secure Files to Wallet. Please check what went wrong."
+  exit 1
+fi
+
+PATTERN=(${WALLETPATH_CFG}/${WALLETNAME}.kwl)
+if [ ! -f ${PATTERN[0]} ]; then
+  echo "Wallet ${WALLETNAME} was not found, setting it up from scratch."
+  cp kdewallet.* ${WALLETPATH}
+  if [[ $? -ne 0 ]]; then
+    echo "Error: Copy of files for Wallet ${WALLETNAME} failed."
+    exit 1
+  fi
+fi
+
+#Restart the service
+su -c 'nohup kwalletd6 >/dev/null 2>&1 &' $SUDO_USER
+sleep 1
+
+#Check if kwalletd is enabled now
+su -c "$(dirname $0)/qbus_wallet_exec.sh reconfigure" $SUDO_USER
+QB_RESULT=$( su -c "$(dirname $0)/qbus_wallet_exec.sh isEnabled 2>/dev/null || true" $SUDO_USER )
+if [[ "$QB_RESULT" != "true" ]]; then
+  echo "Error checking if kWallet service is activated. Cannot continue. Return of Check was:"
+  echo "$QB_RESULT"
+  exit 1
+fi
+
+#It should be possible to open the wallet without having to enter the password now.
+echo "Checking if Wallet can be opened by the user. The Program should not ask for a password, maybe for confirmation to access the wallet which is ok."
+echo "Please check to NOT have any Password asked now - if so, open kwalletmanager and change the password for wallet ${WALLETNAME} to nothing (by entering nothing when asked for new password)!"
+WALLETAPPID="sys_config_wallet_script"
+QB_RESULT=$( su -c "$(dirname $0)/qbus_wallet_exec.sh open ${WALLETNAME} 0 $WALLETAPPID" $SUDO_USER )
+if [[ $? -ne 0 ]]; then
+  echo "Some Error opening Wallet ${WALLETNAME}. Please check."
+  exit 1
+fi
+echo "Sucessfully opened Wallet ${WALLETNAME} with ID ${QB_RESULT}."
+exit 0
diff --git a/client_software/0010_kwallet/kdewallet.kwl b/client_software/0010_kwallet/kdewallet.kwl
new file mode 100644
index 0000000000000000000000000000000000000000..955ea1a757d6b2a3cb9ab2ec075b25fbb51fe39a
GIT binary patch
literal 148
zcmV;F0BiqCS3yinMN|q601XNN0RsX60008)RiDU}=*)NT3{7v}^}Wjg0002tj^=VQ
zR8evXJm6EVoh)+z0002nzM2jaB0Oi!S5>VM4&4Z4TZyHePGJ~MbCDSi!hv>-zKeoE
z)O{$)$3ua7<IOPZIt7T*N4C|xzE+J=kZBSMF^}FfY?a@X@rLyKznb1mT1(pzZU%lL
CuRe(Y

literal 0
HcmV?d00001

diff --git a/client_software/0010_kwallet/kdewallet.salt b/client_software/0010_kwallet/kdewallet.salt
new file mode 100644
index 0000000..05c23d7
--- /dev/null
+++ b/client_software/0010_kwallet/kdewallet.salt
@@ -0,0 +1 @@
+)���8��b��S����[ڑ����O�I.���V~̃P�|^�8�YO�4�Ľ�<�
\ No newline at end of file
diff --git a/client_software/0010_kwallet/kwalletrc b/client_software/0010_kwallet/kwalletrc
new file mode 100644
index 0000000..400e3f2
--- /dev/null
+++ b/client_software/0010_kwallet/kwalletrc
@@ -0,0 +1,15 @@
+[Wallet]
+Close When Idle=true
+Close on Screensaver=false
+Default Wallet=kdewallet
+Enabled=true
+First Use=false
+Idle Timeout=10
+Launch Manager=true
+Leave Manager Open=true
+Leave Open=false
+Prompt on Open=true
+Use One Wallet=true
+
+[org.freedesktop.secrets]
+apiEnabled=true
diff --git a/client_software/0010_kwallet/qbus_wallet_exec.sh b/client_software/0010_kwallet/qbus_wallet_exec.sh
new file mode 100755
index 0000000..5996971
--- /dev/null
+++ b/client_software/0010_kwallet/qbus_wallet_exec.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+# SPDX-FileCopyrightText: Daniel Pätzold
+# SPDX-License-Identifier: AGPL-3.0-or-later
+#
+# Resets the KDE- Wallet
+#
+set -euo pipefail
+
+#First, check if qdbus and kwallet is working via dbus
+QB_CMD="qdbus-qt6"
+if ! command -v ${QB_CMD} >/dev/null 2>&1; then
+  QB_CMD="qdbus"
+  if ! command -v ${QB_CMD} >/dev/null 2>&1; then
+    echo "qdbus-qt6 or qdbus not found; cannot create KWallet via DBus. Install Qt DBus tools."
+    exit 1
+  fi
+fi
+
+# Determine kwallet DBus service name (kwalletd6 on Plasma with KF6, else kwalletd5)
+QB_SERVICE="org.kde.kwalletd"
+if ( ${QB_CMD} "$QB_SERVICE" | grep -q "/modules/kwalletd6" ); then
+  QB_PATH="/modules/kwalletd6"
+elif ( qdbus-qt6 "$QB_SERVICE" | grep -q "/modules/kwalletd5" ); then
+  QB_PATH="/modules/kwalletd5"
+else
+  # Try calling directly — system may expose the service as org.kde.KWallet
+  QB_SERVICE="org.kde.KWallet"
+  QB_PATH=$( ${QB_CMD} "$QB_SERVICE" | grep -q "/modules/kwalletd" )
+fi
+
+#Now, run the command
+${QB_CMD} "$QB_SERVICE" "$QB_PATH" $@
+exit $?
+
+#Check if kwalletd is enabled
+${QB_CMD} "$QB_SERVICE" "$QB_PATH" reconfigure
+QB_RESULT=$( ${QB_CMD} "$QB_SERVICE" "$QB_PATH" isEnabled 2>/dev/null || true)
+if [[ "$QB_RESULT" != "true" ]]; then
+  echo "Error checking if kWallet service is activated. Cannot continue. Return of Check was:"
+  echo "$QB_RESULT"
+  exit 1
+fi
+
diff --git a/system_setup/logon_script.sh b/system_setup/logon_script.sh
index 97cf020..7a7e920 100755
--- a/system_setup/logon_script.sh
+++ b/system_setup/logon_script.sh
@@ -72,11 +72,13 @@ elog_add "Check the matching client rule:"
 elog_add_command_subshell "/usr/bin/sudo -n -l -l ${SYSCONFIGPATH}/system_setup/sync_client_software.sh"
 if [[ $RETNO -ne 0 ]]; then
     elog_add "Error was no $RETNO"
-    elog_add "No matching IPA rule found for this user, so the user is not allowed to install software, skipping this."
-    elog_add "If you want to change: Please check the sudo rules in ipa and your group membership."
+    elog_add "No matching IPA sudo rule found for the setup- script of this user, so the user is not allowed to run software setup."
+    elog_add "This will not work, because necessary steps cannot be executed."
+    elog_add "Please check the sudo rules in ipa and your group membership to make this work."
     elog_add "Hint: the rule must contain the !authenticate and setenv option to work."
     elog_add "A matching sudo rule could look like this: "'^'${SYSCONFIGPATH////'\/'}'\/system_setup\/sync_client_software\.sh.*$'
-    elog_add "Skipping SW Install."
+    elog_add "Skipping SW setup."
+    echo "Press any key to continue" && read -n 1 -s -r && exit 1
 else
     # Check, if the rule is with Option !authenticate
     if [[ $RETTXT != *"!authenticate"* ]]; then
@@ -88,7 +90,7 @@ else
         # Rule seems to be ok, executing script
         elog_add "Matching Sudo rule found."
         elog_add ""
-        elog_add "Running client software install..."
+        elog_add "Running client software sync..."
         elog_add_command "/usr/bin/sudo -n --preserve-env ${SYSCONFIGPATH}/system_setup/sync_client_software.sh install $1"
         #ERRTXT=$( { /usr/bin/sudo -n --preserve-env ${SYSCONFIGPATH}/system_setup/sync_client_software.sh install > >(tee -a ${LOGFILE}); } 2>&1 )
         #ERR=$?
diff --git a/system_setup/sync_client_software.sh b/system_setup/sync_client_software.sh
index 072448f..e7d9492 100755
--- a/system_setup/sync_client_software.sh
+++ b/system_setup/sync_client_software.sh
@@ -71,6 +71,8 @@ if [ -f "${CLIENT_SOFTWARE_DST}/install.sh" ]; then
     chmod u+x "${CLIENT_SOFTWARE_DST}/install.sh"
 fi
 echo "Sucessfully synced."
+#Run Software setup
+echo "Running Setup of Software"
 if [ $1 == "install" ]; then
     ${CLIENT_SOFTWARE_DST}/install.sh $2
     if [ $? -ne 0 ]; then