Setting pam otpw *after* pam_unix, for dovecot failed auth messages.

I think it's nice that it first asks the usual password, and then offers the
otpw one if enabled. That enables dovecot to show the last pam prompt.

I also add the dovecot option for that.

modules/security/pam.nix

@@ -87,9 +87,9 @@ let
               "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"}
           ${optionalString usbAuth
               "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
+          auth sufficient pam_unix.so ${optionalString allowNullPassword "nullok"} likeauth
           ${optionalString otpwAuth
               "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
-          auth sufficient pam_unix.so ${optionalString allowNullPassword "nullok"} likeauth
           ${optionalString config.users.ldap.enable
               "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}
           ${optionalString config.krb5.enable ''

modules/services/mail/dovecot.nix

@@ -39,7 +39,7 @@ let
       }
       passdb {
         driver = pam
-        args = dovecot2
+        args = ${optionalString cfg.showPAMFailure "failure_show_msg=yes"} dovecot2
       }
 
       pop3_uidl_format = %08Xv%08Xu
@@ -111,6 +111,10 @@ in
         description = "Server key.";
       };
 
+      showPAMFailure = mkOption {
+        default = false;
+        description = "Show the PAM failure message on authentication error (useful for OTPW).";
+      };
     };
 
   };