{ lib, pkgs, ... }:

{
  services.fprintd.enable = true;

  security.pam.services.hyprlock = {
    text = ''
      auth  sufficient  pam_unix.so try_first_pass likeauth nullok
      auth  sufficient  ${pkgs.fprintd}/lib/security/pam_fprintd.so
      auth  include     login
    '';
  };

  security.pam.services.greetd = {
    text = ''
      account required pam_unix.so # unix (order 10900)

      # Authentication management.
      auth sufficient pam_unix.so likeauth nullok try_first_pass # unix (order 11600)
      auth sufficient /nix/store/bz12s6mba297725i9y35p73lvsic8gd3-fprintd-1.94.2/lib/security/pam_fprintd.so # fprintd (order 11400)
      auth required pam_deny.so # deny (order 12400)

      # Password management.
      password sufficient pam_unix.so nullok yescrypt # unix (order 10200)

      # Session management.
      session required pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100)
      session required pam_unix.so # unix (order 10200)
      session required pam_loginuid.so # loginuid (order 10300)
      session optional /nix/store/dzp7d4k1d94s1x49p9171mvcsfyxr7bj-systemd-254.6/lib/security/pam_systemd.so # systemd (order 12000)   login
    '';
  };
}