diff --git a/hosts/common/programs/schlock.nix b/hosts/common/programs/schlock.nix
index f40cd251..45fd9f7c 100644
--- a/hosts/common/programs/schlock.nix
+++ b/hosts/common/programs/schlock.nix
@@ -11,14 +11,32 @@ let
 in
 {
   sane.programs.schlock = {
+    configOption = with lib; mkOption {
+      default = {};
+      type = types.submodule {
+        options.autolock = mkOption {
+          type = types.bool;
+          default = true;
+          description = ''
+            integrate with things like `swayidle` to auto-lock when appropriate.
+          '';
+        };
+      };
+    };
+
     sandbox.method = "bwrap";
     sandbox.whitelistWayland = true;
 
     secrets.".config/schlock/schlock.pin" = ../../../secrets/common/schlock.pin.bin;
+
+    services.schlock = {
+      description = "schlock mobile-friendly screen locker";
+      command = ''schlock -p "$HOME/.config/schlock/schlock.pin"'';
+      restartCondition = "on-failure";
+    };
   };
 
-  sane.programs.swayidle.config = lib.mkIf cfg.enabled {
-    actions.schlock.desktop = "schlock.desktop";
-    actions.schlock.delay = 1800;
+  sane.programs.swayidle.config = lib.mkIf (cfg.enabled && cfg.config.autolock) {
+    actions.lock.service = "schlock";
   };
 }
diff --git a/hosts/common/programs/swayidle.nix b/hosts/common/programs/swayidle.nix
index 22484d95..2ea8e1d9 100644
--- a/hosts/common/programs/swayidle.nix
+++ b/hosts/common/programs/swayidle.nix
@@ -9,10 +9,23 @@ let
     options.command = mkOption {
       type = types.str;
       default = name;
+      description = ''
+        shell command to run, e.g. "swaylock --indicator-idle-visible".
+      '';
     };
     options.desktop = mkOption {
       type = types.nullOr types.str;
       default = null;
+      description = ''
+        name of a .desktop file to launch, e.g. "swaylock.desktop".
+      '';
+    };
+    options.service = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = ''
+        name of a user service to start.
+      '';
     };
     options.delay = mkOption {
       type = types.int;
@@ -20,7 +33,14 @@ let
         how many seconds of idle time before triggering the command.
       '';
     };
-    config.command = lib.mkIf (config.desktop != null) "sane-open --application ${config.desktop}";
+    config.command = lib.mkMerge [
+      (lib.mkIf (config.desktop != null) (
+        lib.escapeShellArgs [ "sane-open" "--application" "${config.desktop}" ])
+      )
+      (lib.mkIf (config.service != null) (
+        lib.escapeShellArgs [ "s6-rc" "start" "${config.service}" ])
+      )
+    ];
   });
   screenOff = pkgs.writeShellScriptBin "screen-off" ''
     swaymsg -- output '*' power false
@@ -46,9 +66,17 @@ in
       command = "${screenOff}/bin/screen-off";
       delay = lib.mkDefault 1500;  # 1500s = 25min
     };
+    config.actions.lock = {
+      # define a well-known action mostly to prevent accidentally shipping overlapping screen lockers...
+      delay = lib.mkDefault 1800;  # 1800 = 30min
+      # enable by default, but only if something else has installed a locker.
+      enable = lib.mkDefault cfg.actions.lock.command != "";
+      command = lib.mkDefault "";
+    };
 
     sandbox.method = "bwrap";
     sandbox.whitelistDbus = [ "user" ];  #< might need system too, for inhibitors
+    sandbox.whitelistS6 = true;
     sandbox.whitelistWayland = true;
     sandbox.extraRuntimePaths = [ "sway" ];
 
diff --git a/hosts/common/programs/swaylock.nix b/hosts/common/programs/swaylock.nix
index a61ac0f4..ed5f5cba 100644
--- a/hosts/common/programs/swaylock.nix
+++ b/hosts/common/programs/swaylock.nix
@@ -4,18 +4,31 @@ let
 in
 {
   sane.programs.swaylock = {
-    packageUnwrapped = pkgs.swaylock.overrideAttrs (upstream: {
-      nativeBuildInputs = (upstream.nativeBuildInputs or []) ++ [
-        pkgs.copyDesktopItems
-      ];
-      desktopItems = (upstream.desktopItems or []) ++ [
-        (pkgs.makeDesktopItem {
-          name = "swaylock";
-          exec = "swaylock --indicator-idle-visible --indicator-radius 100 --indicator-thickness 30";
-          desktopName = "Sway session locker";
-        })
-      ];
-    });
+    configOption = with lib; mkOption {
+      default = {};
+      type = types.submodule {
+        options.autolock = mkOption {
+          type = types.bool;
+          default = true;
+          description = ''
+            integrate with things like `swayidle` to auto-lock when appropriate.
+          '';
+        };
+      };
+    };
+
+    # packageUnwrapped = pkgs.swaylock.overrideAttrs (upstream: {
+    #   nativeBuildInputs = (upstream.nativeBuildInputs or []) ++ [
+    #     pkgs.copyDesktopItems
+    #   ];
+    #   desktopItems = (upstream.desktopItems or []) ++ [
+    #     (pkgs.makeDesktopItem {
+    #       name = "swaylock";
+    #       exec = "swaylock --indicator-idle-visible --indicator-radius 100 --indicator-thickness 30";
+    #       desktopName = "Sway session locker";
+    #     })
+    #   ];
+    # });
 
     sandbox.method = "bwrap";
     sandbox.extraPaths = [
@@ -26,11 +39,16 @@ in
       "/etc/shadow"
     ];
     sandbox.whitelistWayland = true;
+
+    services.swaylock = {
+      description = "swaylock screen locker";
+      command = "swaylock --indicator-idle-visible --indicator-radius 100 --indicator-thickness 30";
+      restartCondition = "on-failure";
+    };
   };
 
-  sane.programs.swayidle.config = lib.mkIf cfg.enabled {
-    actions.swaylock.desktop = "swaylock.desktop";
-    actions.swaylock.delay = 1800;
+  sane.programs.swayidle.config = lib.mkIf (cfg.enabled && cfg.config.autolock) {
+    actions.lock.service = "swaylock";
   };
 
   security.pam.services = lib.mkIf cfg.enabled {