I have a very basic NGINX configuration (I've removed the irrelevant parts of the config):

events { }
http {
    include /etc/nginx/mime.types;
    server {
                listen 80 default_server;
                server_name _;
                return 301 https://$host$request_uri;
        }
        server {
                server_name files.example.org;
                include nginx-wildcard-ssl.conf;
                root /files;
                autoindex on;
                location / {
                        try_files $uri $uri/ =404;
                }
        }
}

nginx-wildcard-ssl.conf is a simple file for doing SSL. Here it is if you're wondering (I've removed the paths to the certificates)

listen 443 ssl;
ssl_certificate /.../cert.pem;
ssl_certificate_key /.../privkey.pem;

That configuration serves the files in /files at files.example.org (but with my domain), and gives a directory listing, and I can view the files as expected.

However, some of those files contain private information. NGINX has a guide to using basic HTTP authenticatoin. But, in addition to using a password with basic authentication, I'd also like to require a 2FA TOTP code in addition to the password to sign in. If it matters, the server is running Debian 11, and I am the sole user of it (and so have root privileges). I'm already using SSL, so I'm not too concerned with using basic authentication.

How can I configure NGINX to require TOTP codes for 2FA combined with basic authentication?