diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index 4172bc6fbe1e..ac9da4a823b7 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -548,6 +548,9 @@ let
           (let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth ''
             auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.challengeResponsePath != null) "chalresp_path=${yubi.challengeResponsePath}"} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"}
           '') +
+          (let dp9ik = config.security.pam.dp9ik; in optionalString dp9ik.enable ''
+            auth ${dp9ik.control} ${pkgs.pam_dp9ik}/lib/security/pam_p9.so ${dp9ik.authserver}
+          '') +
           optionalString cfg.fprintAuth ''
             auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so
           '' +
@@ -913,6 +916,32 @@ in
 
     security.pam.enableOTPW = mkEnableOption (lib.mdDoc "the OTPW (one-time password) PAM module");
 
+    security.pam.dp9ik = {
+      enable = mkEnableOption (
+        lib.mdDoc ''
+          the dp9ik pam module provided by tlsclient.
+
+          If set, users can be authenticated against the 9front
+          authentication server given in {option}`security.pam.dp9ik.authserver`.
+        ''
+      );
+      control = mkOption {
+        default = "sufficient";
+        type = types.str;
+        description = lib.mdDoc ''
+          This option sets the pam "control" used for this module.
+        '';
+      };
+      authserver = mkOption {
+        default = null;
+        type = with types; nullOr string;
+        description = lib.mdDoc ''
+          This controls the hostname for the 9front authentication server
+          that users will be authenticated against.
+        '';
+      };
+    };
+
     security.pam.krb5 = {
       enable = mkOption {
         default = config.krb5.enable;
diff --git a/pkgs/os-specific/linux/pam_dp9ik/default.nix b/pkgs/os-specific/linux/pam_dp9ik/default.nix
new file mode 100644
index 000000000000..382a3ca7b179
--- /dev/null
+++ b/pkgs/os-specific/linux/pam_dp9ik/default.nix
@@ -0,0 +1,30 @@
+{ lib
+, tlsclient
+, stdenv
+, pkg-config
+, pam
+}:
+
+stdenv.mkDerivation {
+  inherit (tlsclient) src version enableParallelBuilding;
+
+  pname = "pam_dp9ik";
+
+  strictDeps = true;
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ pam ];
+
+  makeFlags = [ "pam_p9.so" ];
+  installPhase = ''
+    install -Dm755 -t $out/lib/security/ pam_p9.so
+  '';
+
+  meta = with lib; {
+    description = "dp9ik pam module";
+    longDescription = "Uses tlsclient to authenticate users against a 9front auth server";
+    homepage = "https://git.sr.ht/~moody/tlsclient";
+    license = licenses.mit;
+    maintainers = with maintainers; [ moody ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 6808609d4146..41a5a35d93ae 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -27957,6 +27957,8 @@ with pkgs;
 
   pam_ccreds = callPackage ../os-specific/linux/pam_ccreds { };
 
+  pam_dp9ik = callPackage ../os-specific/linux/pam_dp9ik { };
+
   pam_gnupg = callPackage ../os-specific/linux/pam_gnupg { };
 
   pam_krb5 = callPackage ../os-specific/linux/pam_krb5 { };