diff --git a/Cargo.lock b/Cargo.lock
index acee835..88c6ebc 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1818,7 +1818,7 @@ dependencies = [
 ]
 
 [[package]]
-name = "server-stats-rust"
+name = "server-dash-api"
 version = "0.1.0"
 dependencies = [
  "axum",
diff --git a/flake.nix b/flake.nix
index 67f74ed..d15121e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -45,7 +45,7 @@
                     pname = "server-dash-api";
                     version = "0.1.0";
                     src = ./.;
-                    cargoHash = "sha256-ApTfxhXYXoxF0ixwUQKAxiQOLLwi92buPDLcK+VAbp4=";
+                    cargoHash = "sha256-z2sdfkRN25CAiXepQRzftoWGwbl8lI4KGuezGg4rD/A=";
                     inherit nativeBuildInputs buildInputs;
                     OPENSSL_NO_VENDOR = 1;
                     PKG_CONFIG_PATH = "${pkgs.openssl.dev}/lib/pkgconfig";
@@ -92,6 +92,20 @@
                         };
                         users.groups.server-dash-api = { };
 
+                        systemd.tmpfiles.rules = [
+                            "d /var/lib/server-dash-api 0750 server-dash-api server-dash-api -"
+                            "d /var/lib/server-dash-api/google-auth 0750 server-dash-api server-dash-api -"
+                        ];
+
+                        security.pam.services.server-dash-api = {
+                            text = ''
+                                auth required ${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so secret=/var/lib/server-dash-api/google-auth/%u user=server-dash-api no_increment_hotp
+                                auth sufficient ${pkgs.linux-pam}/lib/security/pam_unix.so likeauth nullok
+                                auth required ${pkgs.linux-pam}/lib/security/pam_unix.so
+                                account required ${pkgs.linux-pam}/lib/security/pam_unix.so
+                            '';
+                        };
+
                         security.polkit.extraConfig = ''
                             polkit.addRule(function(action, subject) {
                                 if ((action.id == "org.freedesktop.systemd1.manage-units" ||
@@ -118,6 +132,8 @@
                                     "RUST_LOG=info"
                                     "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
                                 ];
+                                AmbientCapabilities = [ "CAP_DAC_READ_SEARCH" ];
+                                CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" ];
                             };
                         };
                     };
diff --git a/src/auth.rs b/src/auth.rs
index 2238d46..e4fc7c9 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -108,7 +108,7 @@ pub fn decode_basic_auth(headers: &HeaderMap) -> Option<(String, String)> {
 }
 
 pub fn verify_system_credentials(username: &str, password: &str) -> bool {
-    let mut client = match Client::with_password("login") {
+    let mut client = match Client::with_password("server-dash-api") {
         Ok(c) => c,
         Err(_) => return false,
     };
@@ -128,7 +128,7 @@ pub async fn require_auth(headers: HeaderMap, request: Request<Body>, next: Next
 
 // POST /auth/login
 pub async fn post_login(headers: HeaderMap) -> impl IntoResponse {
-    let (username, password) = match decode_basic_auth(&headers) {
+    let (username, password_and_totp) = match decode_basic_auth(&headers) {
         Some(c) => c,
         None => {
             return (
@@ -138,9 +138,11 @@ pub async fn post_login(headers: HeaderMap) -> impl IntoResponse {
                 .into_response();
         }
     };
-    if !verify_system_credentials(&username, &password) {
+
+    if !verify_system_credentials(&username, &password_and_totp) {
         return (StatusCode::UNAUTHORIZED, "Invalid credentials").into_response();
     }
+
     let token = create_token(&username);
     (StatusCode::OK, Json(serde_json::json!({ "token": token }))).into_response()
 }