diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
index a992008a4e1bad..363296b713e9b5 100644
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -73,6 +73,8 @@
 
 - [Goatcounter](https://www.goatcounter.com/), Easy web analytics. No tracking of personal data. Available as [services.goatcounter](options.html#opt-services.goatcocunter.enable).
 
+- [Howdy](https://github.com/boltgolt/howdy), a Windows Hello™ style facial authentication program for Linux.
+
 - [Privatebin](https://github.com/PrivateBin/PrivateBin/), A minimalist, open source online pastebin where the server has zero knowledge of pasted data. Available as [services.privatebin](#opt-services.privatebin.enable)
 
 - [UWSM](https://github.com/Vladimir-csp/uwsm), a wayland session manager to wrap Wayland Compositors into useful systemd units such as `graphical-session.target`. Available as [programs.uwsm](#opt-programs.uwsm.enable).
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index bf9b3db4b9677b..ecb4171c672eb9 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -1313,6 +1313,7 @@
   ./services/security/hockeypuck.nix
   ./services/security/hologram-agent.nix
   ./services/security/hologram-server.nix
+  ./services/security/howdy
   ./services/security/infnoise.nix
   ./services/security/intune.nix
   ./services/security/jitterentropy-rngd.nix
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index 2ff08cbfde8123..80789c8ddf22a5 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -267,6 +267,16 @@ let
         '';
       };
 
+      howdyAuth = lib.mkOption {
+        default = config.services.howdy.enable;
+        defaultText = lib.literalExpression "config.services.howdy.enable";
+        type = lib.types.bool;
+        description = ''
+          If set, IR camera will be used (if it exists and your
+          facial models are enrolled).
+        '';
+      };
+
       oathAuth = lib.mkOption {
         default = config.security.pam.oath.enable;
         defaultText = lib.literalExpression "config.security.pam.oath.enable";
@@ -696,6 +706,7 @@ let
             dp9ik.authserver
           ]; })
           { name = "fprintd"; enable = cfg.fprintAuth; control = "sufficient"; modulePath = "${config.services.fprintd.package}/lib/security/pam_fprintd.so"; }
+          { name = "howdy"; enable = cfg.howdyAuth; control = "sufficient"; modulePath = "${config.services.howdy.package}/lib/security/pam_howdy.so"; }
         ] ++
           # Modules in this block require having the password set in PAM_AUTHTOK.
           # pam_unix is marked as 'sufficient' on NixOS which means nothing will run
diff --git a/nixos/modules/services/security/howdy/config.nix b/nixos/modules/services/security/howdy/config.nix
new file mode 100644
index 00000000000000..e806366d377e03
--- /dev/null
+++ b/nixos/modules/services/security/howdy/config.nix
@@ -0,0 +1,46 @@
+{
+  core = {
+    detection_notice = false;
+    timeout_notice = true;
+    no_confirmation = false;
+    suppress_unknown = false;
+    abort_if_ssh = true;
+    abort_if_lid_closed = true;
+    disabled = false;
+    use_cnn = false;
+    workaround = "off";
+  };
+
+  video = {
+    certainty = 3.5;
+    timeout = 4;
+    device_path = "/dev/video2";
+    warn_no_device = true;
+    max_height = 320;
+    frame_width = -1;
+    frame_height = -1;
+    dark_threshold = 60;
+    recording_plugin = "opencv";
+    device_format = "v4l2";
+    force_mjpeg = false;
+    exposure = -1;
+    device_fps = -1;
+    rotate = 0;
+  };
+
+  snapshots = {
+    save_failed = false;
+    save_successful = false;
+  };
+
+  rubberstamps = {
+    enabled = false;
+    stamp_rules = "nod		5s		failsafe     min_distance=12";
+  };
+
+  debug = {
+    end_report = false;
+    verbose_stamps = false;
+    gtk_stdout = false;
+  };
+}
diff --git a/nixos/modules/services/security/howdy/default.nix b/nixos/modules/services/security/howdy/default.nix
new file mode 100644
index 00000000000000..75dc3f5cbde322
--- /dev/null
+++ b/nixos/modules/services/security/howdy/default.nix
@@ -0,0 +1,50 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.services.howdy;
+  settingsType = pkgs.formats.ini { };
+in
+{
+  options = {
+    services.howdy = {
+      enable = lib.mkEnableOption "" // {
+        description = ''
+          Howdy and PAM module for face recognition. See
+          `services.linux-enable-ir-emitter` for enabling the IR emitter support.
+        '';
+      };
+
+      package = lib.mkPackageOption pkgs "howdy" { };
+
+      settings = lib.mkOption {
+        inherit (settingsType) type;
+        default = import ./config.nix;
+        description = ''
+          Howdy configuration file. Refer to
+          <https://github.com/boltgolt/howdy/blob/beta/howdy/src/config.ini>
+          for options.
+        '';
+      };
+    };
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf cfg.enable {
+      environment.systemPackages = [ cfg.package ];
+      environment.etc."howdy/config.ini".source = settingsType.generate "howdy-config.ini" cfg.settings;
+      assertions = [
+        {
+          assertion = !(builtins.elem "v4l2loopback" config.boot.kernelModules);
+          message = "Adding 'v4l2loopback' to `boot.kernelModules` causes Howdy to no longer work. Consider adding it to `boot.extraModulePackages` instead.";
+        }
+      ];
+    })
+    {
+      services.howdy.settings = lib.mapAttrsRecursive (name: lib.mkDefault) (import ./config.nix);
+    }
+  ];
+}