support duo mfa on nixos servers

home/base.nix

@@ -118,6 +118,18 @@ let
       ssh heywoodlh@$host "sudo cp /root/tarsnap.key /home/heywoodlh/tarsnap.key; sudo chown -R heywoodlh /home/heywoodlh/tarsnap.key" && scp heywoodlh@$host:/home/heywoodlh/tarsnap.key $host && ssh heywoodlh@$host "rm /home/heywoodlh/tarsnap.key" && op-wrapper.sh item edit fp5jsqodjv3gzlwtlgojays7qe "$host[file]=$host" && rm $host
     done
   '';
+  duo-key-setup = pkgs.writeShellScriptBin "duo-key-setup.sh" ''
+    hosts=("nix-drive" "nix-nvidia" "nixos-gaming" "nixos-mac-mini")
+    op item get 6sgj3s3755opehqifusmxxoehy --fields=unix-secret-key > /tmp/duo.key
+    chmod 600 /tmp/duo.key
+    for host in "''${hosts[@]}"
+    do
+      scp /tmp/duo.key heywoodlh@$host:/tmp/duo.key
+      scp /tmp/duo-integration.key heywoodlh@$host:/tmp/duo-integration.key
+      ssh heywoodlh@$host "sudo mv /tmp/duo.key /root/duo.key; sudo chown -R root:root /root/duo.key; sudo chmod 600 /root/duo.key"
+    done
+    rm /tmp/duo.key
+  '';
 in {
   home.stateVersion = "24.05";
   home.enableNixpkgsReleaseCheck = false;
@@ -187,6 +199,7 @@ in {
     otp
     op-backup
     incognito
+    duo-key-setup
   ];
 
   # Enable password-store

nixos/roles/remote-access/sshd.nix

@@ -13,11 +13,24 @@ in {
     ];
   };
 
+  # Duo for MFA
+  security.duosec = {
+    pam.enable = true;
+    ssh.enable = true;
+    host = "api-cb5d3f60.duosecurity.com";
+    autopush = true;
+    secretKeyFile = "/root/duo.key";
+    integrationKey = "DI677924DNVV70FMD1DA";
+  };
+
   services.openssh = {
     enable = true;
     sftpServerExecutable = "internal-sftp";
     settings.PermitRootLogin = "prohibit-password";
     settings.PasswordAuthentication = false;
+    extraConfig = pkgs.lib.optionalString config.security.duosec.ssh.enable ''
+      ForceCommand /usr/bin/env login_duo
+    '';
   };
 
   environment.systemPackages = with pkgs; [