{ lib, config, ... }:
with lib; let
  cfg = config.local;
in {
  config = {
    security.pam = {
      oath = {
        usersFile = "/var/trust/auth/users.oath";
        digits = 6;
        window = 30;
      };

      services.sshd.oathAuth = true;
    };

    services.openssh = {
      enable = true;
      openFirewall = false;
      ports = [ 2234 ];

      forwardX11 = true;
      permitRootLogin = "no";
      passwordAuthentication = false;

      hostKeys = [
        {
          bits = 4096;
          path = "/etc/ssh/ssh_host_rsa_key";
          type = "rsa";
        }
        {
          path = "/etc/ssh/ssh_host_ed25519_key";
          type = "ed25519";
        }
        #TODO: Desfasar, inseguro
        {
          path = "/etc/ssh/ssh_host_ecdsa_key";
          type = "ecdsa";
        }
      ];
    };

    networking.firewall.allowedTCPPorts = [ 2234 ];
  };
}