refactor: use systemd.tmpfiles for GNOME Keyring, simplify reset scripts

Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/71dab9c7-081f-4e45-80c2-080e88ae6207

Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>

modules/credentials.nix

@@ -33,10 +33,8 @@ let
     echo "$NEW_PASS" > "$SECRET_FILE"
     chmod 600 "$SECRET_FILE"
     echo "Password for 'free' updated and saved."
-    # Delete the old GNOME Keyring so it is recreated with the new password on next GDM login.
-    rm -rf /home/free/.local/share/keyrings/*
-    # Recreate the default pointer so PAM knows which keyring to unlock.
-    su - free -c 'echo "login" > ~/.local/share/keyrings/default'
+    # Delete the old GNOME Keyring databases so a fresh one is created on next GDM login.
+    rm -f /home/free/.local/share/keyrings/*.keyring
     echo "GNOME Keyring files cleared — a fresh keyring will be created on next login."
   '';
 in
@@ -184,15 +182,6 @@ in
       echo "$FREE_PASS" > "$SECRET_FILE"
       chmod 600 "$SECRET_FILE"
       echo "free:$FREE_PASS" | chpasswd
-      # Seed the GNOME Keyring default pointer so PAM creates a fresh keyring
-      # on first login without prompting the user.  Guard with -f so we never
-      # overwrite an existing pointer on legacy machines that already have one.
-      su - free -c '
-        mkdir -p ~/.local/share/keyrings
-        if [ ! -f ~/.local/share/keyrings/default ]; then
-          echo "login" > ~/.local/share/keyrings/default
-        fi
-      '
     '';
   };