{ config, lib, pkgs, ... }:
with lib; let
  cfg = config.local;
in
{
  config = {
    security.pam = {
      oath = {
        usersFile = "/var/trust/auth/users.oath";
        digits = 6;
        window = 30;
      };

      services.sshd.oathAuth = true;
    };

    services.openssh = {
      enable = true;
      openFirewall = false;
      ports = [ 2234 ];
      startWhenNeeded = true;

      hostKeys = [
        {
          bits = 4096;
          path = "/etc/ssh/ssh_host_rsa_key";
          type = "rsa";
        }
        {
          path = "/etc/ssh/ssh_host_ed25519_key";
          type = "ed25519";
        }
        #TODO: Desfasar, inseguro
        {
          path = "/etc/ssh/ssh_host_ecdsa_key";
          type = "ecdsa";
        }
      ];

      settings = {
        X11Forwarding = true;
        PermitRootLogin = "no";
        PasswordAuthentication = true; # Necesario para oath, no reemplaza a oath
      };

      extraConfig = ''
        # User 'tunnel' has no password. Use PAM OATH
        # and connect with -N, forward with -R.
        Match User tunnel
           AllowTcpForwarding remote
           AllowStreamLocalForwarding no
           X11Forwarding no
           PermitTunnel no
           GatewayPorts no
           AllowAgentForwarding no
           PermitOpen none
           PermitListen 60220 60221 60222 60223 60224 60225 60226 60227 60228 60229

           Banner ${pkgs.writeText "tunnel-banner" ''
             This is a reverse tunnel
           ''}
      '';
    };

    networking.firewall.allowedTCPPorts = [ 2234 ];

    users.users.tunnel = {
      uid = 1100;
      group = "nogroup";
      isSystemUser = true;

      # Requiere oath
      password = "tunnel";

      home = "/var/empty";
      shell = "${pkgs.coreutils}/bin/true";
    };
  };
}