{ pkgs, ... }: {
  security.pam.yubico = {
    enable = true;
    control = "required";
    mode = "challenge-response";
    challengeResponsePath = "/run/secrets/yubikey";
    id = [ "18550256" ];
  };
  
  sops.secrets."yubikey/albert-18550256" = {
    owner = "albert";
    mode = "600";
    sopsFile = ../../../secrets/yubikey.yaml;
  };

  environment.systemPackages = with pkgs; [
    yubico-pam
  ];
}