diff --git a/devices/wim/modules/security.nix b/devices/wim/modules/security.nix
index 74a54a3..2bdccf9 100644
--- a/devices/wim/modules/security.nix
+++ b/devices/wim/modules/security.nix
@@ -1,12 +1,19 @@
 {
-  pkgs,
-  lib,
   config,
+  lib,
   ...
 }: let
-  grosshack = config.customPkgs.pam-fprint-grosshack;
-  grosshackSo = "${grosshack}/lib/security/pam_fprintd_grosshack.so";
-  gnomeSo = "${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so";
+  inherit (lib) mkDefault mkBefore;
+  inherit (config.customPkgs) pam-fprint-grosshack;
+
+  pam_fprintd_grosshackSo = "${pam-fprint-grosshack}/lib/security/pam_fprintd_grosshack.so";
+
+  # https://wiki.archlinux.org/title/Fprint#Login_configuration
+  grosshackConf = ''
+    # pam-fprint-grosshack
+    auth		sufficient  	${pam_fprintd_grosshackSo} timeout=99
+    auth		sufficient  	pam_unix.so try_first_pass nullok
+  '';
 in {
   services.fprintd.enable = true;
 
@@ -22,69 +29,10 @@ in {
     Defaults        timestamp_timeout=600
   '';
 
+  # https://stackoverflow.com/a/47041843
   security.pam.services = {
-    # all the changes in /etc/pam.d/*
-    sddm.text = lib.mkBefore ''
-      auth      [success=1 new_authtok_reqd=1 default=ignore]  	pam_unix.so try_first_pass likeauth nullok
-      auth      sufficient    ${pkgs.fprintd}/lib/security/pam_fprintd.so
-    '';
-
-    sudo.text = ''
-      # Account management.
-      auth    sufficient    ${grosshackSo}
-      auth    sufficient    pam_unix.so try_first_pass nullok
-      account required pam_unix.so
-
-      # Authentication management.
-      auth required pam_deny.so
-
-      # Password management.
-      password sufficient pam_unix.so nullok yescrypt
-
-      # Session management.
-      session required pam_env.so conffile=/etc/pam/environment readenv=0
-      session required pam_unix.so
-    '';
-
-    login.text = ''
-      # Account management.
-      account required pam_unix.so
-
-      # Authentication management.
-      auth    sufficient    ${grosshackSo}
-      auth optional pam_unix.so nullok  likeauth
-      auth optional ${gnomeSo}
-      auth    sufficient    pam_unix.so try_first_pass nullok
-      auth required pam_deny.so
-
-      # Password management.
-      password sufficient pam_unix.so nullok yescrypt
-      password optional ${gnomeSo} use_authtok
-
-      # Session management.
-      session required pam_env.so conffile=/etc/pam/environment readenv=0
-      session required pam_unix.so
-      session required pam_loginuid.so
-      session required ${pkgs.pam}/lib/security/pam_lastlog.so silent
-      session optional ${pkgs.systemd}/lib/security/pam_systemd.so
-      session optional ${gnomeSo} auto_start
-    '';
-
-    polkit-1.text = ''
-      # Account management.
-      account required pam_unix.so
-
-      # Authentication management.
-      auth    sufficient    ${grosshackSo}
-      auth    sufficient    pam_unix.so try_first_pass nullok
-      auth required pam_deny.so
-
-      # Password management.
-      password sufficient pam_unix.so nullok yescrypt
-
-      # Session management.
-      session required pam_env.so conffile=/etc/pam/environment readenv=0
-      session required pam_unix.so
-    '';
+    sudo.text = mkDefault(mkBefore grosshackConf);
+    login.text = mkDefault(mkBefore grosshackConf);
+    polkit-1.text = mkDefault(mkBefore grosshackConf);
   };
 }