Both LightDM and GDM include the login module where a keyring can be unlocked, for example by setting security.pam.services.login.enableGnomeKeyring = true;.

I suggest adding the following:

text = ''
auth      substack      login
account   include       login
password  substack      login
session   include       login
'';

to

and maybe hide them behind a boolean?

Maybe someone with more knowledge of the PAM system could give some feedback on this, as I am not sure if there could be negative or unforeseen consequences lurking.