{ config, lib, pkgs, ... }:
with lib; let
  cfg = config.local.auth.oath;
in
{
  options.local.auth.oath = {
    enable = lib.mkEnableOption "pam-oath";
  };

  config = lib.mkIf cfg.enable {
    security.pam = {
      oath = {
        digits = 6;
        window = 30;

        usersFile = "/var/trust/auth/users.oath";
      };

      services.sshd.oathAuth = true;
    };

    users.users.tunnel = {
      uid = 1100;
      group = "nogroup";
      isSystemUser = true;

      # Requiere oath
      password = "tunnel";

      home = "/var/empty";
      shell = "${pkgs.coreutils}/bin/true";
    };
  };
}