{ pkgs, ... }: { security.pam.yubico = { enable = true; debug = true; # control = "required"; mode = "challenge-response"; id = [ "18550256" ]; }; services.udev.extraRules = '' ACTION=="remove",\ ENV{ID_BUS}=="usb",\ ENV{ID_MODEL_ID}=="0407",\ ENV{ID_VENDOR_ID}=="1050",\ ENV{ID_VENDOR}=="Yubico",\ RUN+="${pkgs.systemd}/bin/loginctl lock-sessions" ''; }