{ config, pkgs, ... }:

{
  services.fprintd.enable = true;

  # security.pam.services.login.fprintAuth = true;
  security.pam.services.sudo.fprintAuth = true;
  # If you use swaylock and want fingerprint auth for it:
  security.pam.services.swaylock.fprintAuth = true;
  # Add Polkit rule to allow locally active users to manage their own fingerprints
  security.polkit.extraConfig = ''
    polkit.addRule(function(action, subject) {
      if (action.id == "net.reactivated.fprint.device.enroll" ||
          action.id == "net.reactivated.fprint.device.verify" ||
          action.id == "net.reactivated.fprint.device.delete" ||
          action.id == "net.reactivated.fprint.device.list") {
        // Allow active, local users to manage their own fingerprints
        if (subject.active && subject.local) {
          return polkit.Result.YES;
        }
      }
    });
  '';
}