From dae3f7896f1b289fb613a0f2d7e6f3320cde1a3c Mon Sep 17 00:00:00 2001
From: Ryota <rytswd@gmail.com>
Date: Thu, 29 Jan 2026 20:26:30 +0000
Subject: [PATCH] systemd: fix target handling and script for pcscd

---
 modules/home-manager/sops.nix | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/modules/home-manager/sops.nix b/modules/home-manager/sops.nix
index 725991e..0b93194 100644
--- a/modules/home-manager/sops.nix
+++ b/modules/home-manager/sops.nix
@@ -420,23 +420,30 @@ in
             # Ensure pcscd is available for YubiKey communication.
             # When pcscd.socket is enabled, systemd creates /run/pcscd/pcscd.comm
             # and starts pcscd.service on-demand when the socket is accessed.
-            
-            for i in $(seq 1 30); do
+
+            i=0
+            while [ $i -lt 30 ]; do
               # Check if the pcscd socket file exists - this is the most reliable check
               # and doesn't require D-Bus access
               if [ -e /run/pcscd/pcscd.comm ]; then
                 exit 0
               fi
               sleep 0.2
+              i=$((i + 1))
             done
-            
+
             echo "Warning: pcscd socket not found at /run/pcscd/pcscd.comm" >&2
             echo "YubiKey decryption may fail. Ensure services.pcscd.enable = true" >&2
           ''}"
         ];
       };
       Install.WantedBy =
-        if cfg.gnupg.home != null then [ "graphical-session-pre.target" ] else [ "default.target" ];
+        # When pcscd is required, we need to wait for the graphical session to be active
+        # so that polkit recognizes it as an active session and allows pcscd access.
+        # Otherwise, we run at default.target for faster boot times.
+        if cfg.gnupg.home != null || cfg.age.requirePcscd
+        then [ "graphical-session-pre.target" ]
+        else [ "default.target" ];
     };
 
     # Darwin: load secrets once on login