diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index 7ae26804317..40bec8d0791 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -366,7 +366,7 @@ let
${let p11 = config.security.pam.p11; in optionalString cfg.p11Auth
"auth ${p11.control} ${pkgs.pam_p11}/lib/security/pam_p11.so ${pkgs.opensc}/lib/opensc-pkcs11.so"}
${let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth
- "auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"}"}
+ "auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"} ${optionalString (u2f.appId != null) "appid=${u2f.appId}"}"}
${optionalString cfg.usbAuth
"auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
@@ -653,6 +653,22 @@ in
xlink:href="https://developers.yubico.com/pam-u2f/">here.
'';
};
+
+ appId = mkOption {
+ default = null;
+ type = with types; nullOr str;
+ description = ''
+ By default pam-u2f module sets the application
+ ID to pam://$HOSTNAME.
+
+ When using pamu2fcfg, you can specify your
+ application ID with the -i flag.
+
+ More information can be found
+ here
+ '';
+ };
control = mkOption {
default = "sufficient";