ma 2fa: init and enable for gum

1systems/gum.nix

@@ -26,6 +26,9 @@ in {
       ../2configs/tinc/retiolum.nix
       ../2configs/urlwatch.nix
 
+      # Security
+      ../2configs/sshd-totp.nix
+
       # Tools
       ../2configs/tools/core.nix
       ../2configs/tools/dev.nix

2configs/sshd-totp.nix

@@ -0,0 +1,18 @@
+{ pkgs, ... }:
+# Enables second factor for ssh password login
+
+## Usage:
+#  gen-oath-safe <username> totp
+## scan the qrcode with google authenticator (or FreeOTP)
+## copy last line into secrets/<host>/users.oath (chmod 700)
+{
+  security.pam.oath = {
+    # enabling it will make it a requisite of `all` services
+    # enable = true;
+    digits = 6;
+    # TODO assert existing
+    usersFile = (toString <secrets>) + "/users.oath";
+  };
+  # I want TFA only active for sshd with password-auth
+  security.pam.services.sshd.oathAuth = true;
+}