diff --git a/modules/core/security.nix b/modules/core/security.nix
index af947a8..478796b 100644
--- a/modules/core/security.nix
+++ b/modules/core/security.nix
@@ -1,3 +1,43 @@
 {
-  security.sudo.wheelNeedsPassword = false;
+  lib,
+  pkgs,
+  config,
+  ...
+}: {
+  config = lib.mkIf config.local.profiles.desktop.enable {
+    security = {
+      polkit.enable = true;
+      polkit = {
+        extraConfig = ''
+          polkit.addRule(function(action, subject) {
+            if (
+              subject.isInGroup("users")
+                && (
+                  action.id == "org.freedesktop.login1.reboot" ||
+                  action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
+                  action.id == "org.freedesktop.login1.power-off" ||
+                  action.id == "org.freedesktop.login1.power-off-multiple-sessions"
+                )
+              )
+            {
+              return polkit.Result.YES;
+            }
+          });
+        '';
+      };
+    };
+    systemd.user.services.polkit-gnome-authentication-agent-1 = {
+      description = "polkit-gnome-authentication-agent-1";
+      wantedBy = ["graphical-session.target"];
+      wants = ["graphical-session.target"];
+      after = ["graphical-session.target"];
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
+        Restart = "on-failure";
+        RestartSec = 1;
+        TimeoutStopSec = 10;
+      };
+    };
+  };
 }