diff --git a/nix/templates/weston-vnc.nix b/nix/templates/weston-vnc.nix
index 0c278aa..8b0350b 100644
--- a/nix/templates/weston-vnc.nix
+++ b/nix/templates/weston-vnc.nix
@@ -57,6 +57,26 @@
   };
 
   config = lib.mkIf config.hyperhive.gui.enable {
+    # Build weston linked against a neatvnc without auth/crypto support.
+    # neatvnc ≥ 0.9 compiled with gnutls/nettle always advertises RSA-AES
+    # and Apple-DH security types (types 129, 5, 30) regardless of the
+    # weston.ini auth-method setting, causing the in-browser RFB client to
+    # fail with "auth failed" (it has no RSA key to complete the handshake).
+    # Removing gnutls + nettle from neatvnc's buildInputs disables the auth
+    # module at compile time, so nvnc_has_auth() returns false and weston
+    # skips nvnc_enable_auth() — neatvnc then advertises only type 1 (None).
+    nixpkgs.overlays = [
+      (_final: prev: {
+        weston = prev.weston.override {
+          neatvnc = prev.neatvnc.overrideAttrs (old: {
+            buildInputs = builtins.filter
+              (p: (p.pname or p.name or "") != "gnutls")
+              old.buildInputs;
+          });
+        };
+      })
+    ];
+
     systemd.services.weston = {
       description = "Weston Wayland compositor (VNC backend)";
       after = [ "network.target" ];
@@ -104,23 +124,14 @@
           ${pkgs.coreutils}/bin/printf '{"vnc_port":%d,"auth":"none"}\n' \
             "$VNC_PORT" > /etc/hyperhive/gui.json || true
 
-          # Write a weston.ini that disables VNC authentication.
-          # Without this, neatvnc offers VNC password auth (type 2) by default
-          # which causes the in-browser RFB client to fail with "auth failed".
-          # auth-method=none makes neatvnc offer security type 1 (None).
-          # --disable-transport-layer-security additionally disables the
-          # VeNCrypt TLS wrapper — VNC is loopback-only via the harness
-          # WebSocket relay so neither TLS nor a password is needed.
-          WESTON_INI=$(${pkgs.coreutils}/bin/mktemp /tmp/weston-XXXXXX.ini)
-          ${pkgs.coreutils}/bin/printf '[core]\nbackend=vnc\n\n[vnc]\nauth-method=none\n' \
-            > "$WESTON_INI"
-
+          # neatvnc is built without gnutls (see nixpkgs.overlays above),
+          # so nvnc_has_auth() returns false and weston skips auth setup
+          # entirely — neatvnc advertises only security type 1 (None).
+          # No weston.ini or --disable-transport-layer-security needed.
           exec ${pkgs.weston}/bin/weston \
-            --config="$WESTON_INI" \
             --backend=vnc-backend.so \
             --renderer=pixman \
-            --port="$VNC_PORT" \
-            --disable-transport-layer-security
+            --port="$VNC_PORT"
         '';
         Restart = "on-failure";
         RestartSec = "5s";