From 833118797651cc67fdd21d24af2e959c1e49276d Mon Sep 17 00:00:00 2001
From: Antonio <vozaanthony@gmail.com>
Date: Fri, 16 May 2025 23:24:05 +0200
Subject: [PATCH] Google Authenticator 2FA support over XRDP

---
 nixos/modules/security/pam.nix | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index ad4e32e82561..0020ace8da5d 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -249,6 +249,23 @@ let
               to provide Google Authenticator token to log in.
             '';
           };
+          allowNullOTP = lib.mkOption {
+            type = lib.types.bool;
+            default = false;
+            description = ''
+              Whether to allow login for accounts that have no OTP set
+              (i.e., accounts with no OTP configured or no existing
+              {file}`~/.google_authenticator`).
+            '';
+          };
+          forwardPass = lib.mkOption {
+            type = lib.types.bool;
+            default = false;
+            description = ''
+              The authentication provides a single field requiring
+              the user's password followed by the one-time password (OTP).
+            '';
+          };
         };
 
         otpwAuth = lib.mkOption {
@@ -1048,6 +1065,8 @@ let
                       modulePath = "${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so";
                       settings = {
                         no_increment_hotp = true;
+                        forward_pass = cfg.googleAuthenticator.forwardPass;
+                        nullok = cfg.googleAuthenticator.allowNullOTP;
                       };
                     }
                     {