diff --git a/modules/secrets.nix b/modules/secrets.nix
index eda5a16..d84af6c 100755
--- a/modules/secrets.nix
+++ b/modules/secrets.nix
@@ -45,6 +45,26 @@ let
     };
   };
 
+  activate-secrets = pkgs.writeShellScriptBin "activate-secrets" ''
+    set -euo pipefail
+    # Make sure card is available and unlocked
+    echo fetch | gpg --card-edit --no-tty --command-fd=0
+    ${pkgs.gnupg}/bin/gpg --card-status
+    export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
+    if [ -d "${password-store}/.git" ]; then
+      cd "${password-store}"; ${pkgs.git}/bin/git pull
+    else
+      ${pkgs.git}/bin/git clone ${
+        lib.escapeShellArg config.secretsConfig.repo
+      } "${password-store}"
+    fi
+    ln -sf ${
+      pkgs.writeShellScript "push" "${pkgs.git}/bin/git push origin master"
+    } "${password-store}/.git/hooks/post-commit"
+    cat ${password-store}/email/balsoft@balsoft.ru.gpg | ${pkgs.gnupg}/bin/gpg --decrypt > /dev/null
+    sudo systemctl restart ${allServices}
+  '';
+
   decrypt = name: cfg:
     with cfg; {
       "${name}-secrets" = rec {
@@ -111,25 +131,6 @@ in {
   config.systemd.services =
     mkMerge (concatLists (mapAttrsToList mkServices config.secrets));
 
-  config.environment.systemPackages = [
-    (pkgs.writeShellScriptBin "activate-secrets" ''
-      set -euo pipefail
-      # Make sure card is available and unlocked
-      echo fetch | gpg --card-edit --no-tty --command-fd=0
-      ${pkgs.gnupg}/bin/gpg --card-status
-      if [ -d "${password-store}/.git" ]; then
-        cd "${password-store}"; ${pkgs.git}/bin/git pull
-      else
-        ${pkgs.git}/bin/git clone ${lib.escapeShellArg config.secretsConfig.repo} "${password-store}"
-      fi
-      ln -sf ${
-        pkgs.writeShellScript "push" "${pkgs.git}/bin/git push origin master"
-      } "${password-store}/.git/hooks/post-commit"
-      cat ${password-store}/email/balsoft@balsoft.ru.gpg | ${pkgs.gnupg}/bin/gpg --decrypt > /dev/null
-      sudo systemctl restart ${allServices}
-    '')
-  ];
-
   config.security.sudo.extraRules = [{
     users = [ "balsoft" ];
     commands = [{
@@ -138,12 +139,18 @@ in {
     }];
   }];
 
-  config.persist.derivative.directories =
-    [ "/var/secrets" password-store ];
+  config.persist.derivative.directories = [ "/var/secrets" password-store ];
 
   config.home-manager.users.balsoft = {
-    wayland.windowManager.sway = {
-      config.startup = [{ command = "activate-secrets"; }];
+    systemd.user.services.activate-secrets = {
+      Service = {
+        ExecStart = "${activate-secrets}/bin/activate-secrets";
+        Type = "oneshot";
+      };
+      Unit = {
+        PartOf = [ "graphical-session-pre.target" ];
+      };
+      Install.WantedBy = [ "graphical-session-pre.target" ];
     };
     programs.password-store = {
       enable = true;
diff --git a/profiles/applications/emacs/default.nix b/profiles/applications/emacs/default.nix
index 2d8cecf..05049cb 100644
--- a/profiles/applications/emacs/default.nix
+++ b/profiles/applications/emacs/default.nix
@@ -92,8 +92,8 @@ in {
         Environment =
           "PATH=/run/current-system/sw/bin:/etc/profiles/per-user/balsoft/bin";
       };
+      Unit.After = [ "sway-session.target" ];
       Install = {
-        After = [ "sway-session.target" ];
         WantedBy = lib.mkForce [ "sway-session.target" ];
       };
     };
diff --git a/profiles/workspace/gnome3/default.nix b/profiles/workspace/gnome3/default.nix
index a6f1616..b1d9a7d 100644
--- a/profiles/workspace/gnome3/default.nix
+++ b/profiles/workspace/gnome3/default.nix
@@ -8,6 +8,7 @@
     tracker-miners.enable = true;
     gnome-settings-daemon.enable = true;
     glib-networking.enable = true;
+    # pass-secret-service is used instead
     gnome-keyring.enable = true;
     gnome-online-accounts.enable = true;
     gnome-online-miners.enable = true;
@@ -40,6 +41,18 @@
   home-manager.users.balsoft = {
     services.pass-secret-service.enable = true;
 
+    systemd.user.services.pass-secret-service = {
+      Service = {
+        Type = "dbus";
+        BusName = "org.freedesktop.secrets";
+      };
+      Unit = rec {
+        Wants = [ "gpg-agent.service" "activate-secrets.service" ];
+        After = Wants;
+        PartOf = [ "graphical-session-pre.target" ];
+      };
+    };
+
     home.activation.gnome = ''
       $DRY_RUN_CMD mkdir -p "$XDG_CONFIG_HOME/goa-1.0"
       $DRY_RUN_CMD ln -sf ${
diff --git a/profiles/workspace/sway/default.nix b/profiles/workspace/sway/default.nix
index 204fa58..49366c1 100755
--- a/profiles/workspace/sway/default.nix
+++ b/profiles/workspace/sway/default.nix
@@ -22,7 +22,12 @@ in {
 
   users.users.balsoft.extraGroups = [ "sway" ];
 
-  environment.loginShellInit = lib.mkAfter ''[[ "$(tty)" == /dev/tty1 ]] && sway'';
+  environment.loginShellInit = lib.mkAfter ''
+    [[ "$(tty)" == /dev/tty1 ]] && {
+      pass unlock
+      sway
+    }
+  '';
 
   home-manager.users.balsoft.wayland.windowManager.sway = {
     enable = true;