···

       
249
       
 
       
              to provide Google Authenticator token to log in.

     

       
250
       
 
       
            '';

     

       
251
       
 
       
          };

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
252
       
 
       
        };

     

       
253
       
 
       


     

       
254
       
 
       
        otpwAuth = lib.mkOption {

     
···

       
1048
       
 
       
                      modulePath = "${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so";

     

       
1049
       
 
       
                      settings = {

     

       
1050
       
 
       
                        no_increment_hotp = true;

     

       
0
       
 
       

     

       
0
       
 
       

     

       
1051
       
 
       
                      };

     

       
1052
       
 
       
                    }

     

       
1053
       
 
       
                    {

     

···

       
249
       
 
       
              to provide Google Authenticator token to log in.

     

       
250
       
 
       
            '';

     

       
251
       
 
       
          };

     

       
252
       
+
       
          allowNullOTP = lib.mkOption {

     

       
253
       
+
       
            type = lib.types.bool;

     

       
254
       
+
       
            default = false;

     

       
255
       
+
       
            description = ''

     

       
256
       
+
       
              Whether to allow login for accounts that have no OTP set

     

       
257
       
+
       
              (i.e., accounts with no OTP configured or no existing

     

       
258
       
+
       
              {file}`~/.google_authenticator`).

     

       
259
       
+
       
            '';

     

       
260
       
+
       
          };

     

       
261
       
+
       
          forwardPass = lib.mkOption {

     

       
262
       
+
       
            type = lib.types.bool;

     

       
263
       
+
       
            default = false;

     

       
264
       
+
       
            description = ''

     

       
265
       
+
       
              The authentication provides a single field requiring

     

       
266
       
+
       
              the user's password followed by the one-time password (OTP).

     

       
267
       
+
       
            '';

     

       
268
       
+
       
          };

     

       
269
       
 
       
        };

     

       
270
       
 
       


     

       
271
       
 
       
        otpwAuth = lib.mkOption {

     
···

       
1065
       
 
       
                      modulePath = "${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so";

     

       
1066
       
 
       
                      settings = {

     

       
1067
       
 
       
                        no_increment_hotp = true;

     

       
1068
       
+
       
                        forward_pass = cfg.googleAuthenticator.forwardPass;

     

       
1069
       
+
       
                        nullok = cfg.googleAuthenticator.allowNullOTP;

     

       
1070
       
 
       
                      };

     

       
1071
       
 
       
                    }

     

       
1072
       
 
       
                    {