kwallet: unmount bind mount cleanly on session logout

Switch kwalletd6-logon from --scope to a transient service with RemainAfterExit=yes (kwalletd6 forks to background, so the service must stay active after the main process exits). ExecStop runs 'sudo umount -l' to detach the wallet bind mount before gocryptfs unmounts ~/data (Before=gocryptfs-home.service ordering). install.sh adds a per-user sudoers drop-in so the user service can call umount as root without a password. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Merge pull request 'gitignore: removed files in client_software' (#31 ) from unbrot/fedora-OEMDRV:main into main
2026-05-11 11:07:01 +02:00 · 2026-05-08 18:59:24 +02:00 · 2026-05-08 17:11:23 +02:00
2 changed files with 14 additions and 1 deletions
@@ -125,4 +125,12 @@ if [[ $? -ne 0 ]]; then
  exit 1
 fi
 echo "Done setting up kwallet from secure user folder."
+
+# Sudoers rule so kwalletd6-logon.service ExecStop can unmount the bind mount (needs root)
+# Filename must not contain '.' or end in '~' or sudo ignores it
+_SUDOUSER_SAFE=$(printf '%s' "${SUDO_USER}" | tr -dc 'a-zA-Z0-9_-')
+printf '%s ALL=(root) NOPASSWD: /usr/bin/umount -l %s\n' "${SUDO_USER}" "${WALLETPATH_CFG}" \
+    > "/etc/sudoers.d/kwallet-umount-${_SUDOUSER_SAFE}"
+chmod 440 "/etc/sudoers.d/kwallet-umount-${_SUDOUSER_SAFE}"
+
 exit 0
@@ -18,7 +18,12 @@ if [[ -z $(wmctrl -m | grep "KWin") ]]; then
 fi

 #Restart the service
-systemd-run --user --scope --unit=kwalletd6-logon kwalletd6 >${TEMPDIR}/kwalletd6.log 2>&1 &
+WALLETPATH_CFG="${HOME}/.local/share/kwalletd"
+systemd-run --user --unit=kwalletd6-logon \
+    --property=RemainAfterExit=yes \
+    --property=Before=gocryptfs-home.service \
+    --property="ExecStop=/usr/bin/sudo /usr/bin/umount -l ${WALLETPATH_CFG}" \
+    kwalletd6 >${TEMPDIR}/kwalletd6.log 2>&1 &
 sleep 1

 #Check if kwalletd is enabled now