client_software/0010_kwallet/install.sh

@@ -125,4 +125,12 @@ if [[ $? -ne 0 ]]; then
   exit 1
 fi
 echo "Done setting up kwallet from secure user folder."
+
+# Sudoers rule so kwalletd6-logon.service ExecStop can unmount the bind mount (needs root)
+# Filename must not contain '.' or end in '~' or sudo ignores it
+_SUDOUSER_SAFE=$(printf '%s' "${SUDO_USER}" | tr -dc 'a-zA-Z0-9_-')
+printf '%s ALL=(root) NOPASSWD: /usr/bin/umount -l %s\n' "${SUDO_USER}" "${WALLETPATH_CFG}" \
+    > "/etc/sudoers.d/kwallet-umount-${_SUDOUSER_SAFE}"
+chmod 440 "/etc/sudoers.d/kwallet-umount-${_SUDOUSER_SAFE}"
+
 exit 0

client_software/0010_kwallet/user_run.sh

@@ -18,7 +18,12 @@ if [[ -z $(wmctrl -m | grep "KWin") ]]; then
 fi
 
 #Restart the service
-systemd-run --user --scope --unit=kwalletd6-logon kwalletd6 >${TEMPDIR}/kwalletd6.log 2>&1 &
+WALLETPATH_CFG="${HOME}/.local/share/kwalletd"
+systemd-run --user --unit=kwalletd6-logon \
+    --property=RemainAfterExit=yes \
+    --property=Before=gocryptfs-home.service \
+    --property="ExecStop=/usr/bin/sudo /usr/bin/umount -l ${WALLETPATH_CFG}" \
+    kwalletd6 >${TEMPDIR}/kwalletd6.log 2>&1 &
 sleep 1
 
 #Check if kwalletd is enabled now