{ lib, pkgs, config, mylibs, myconfig, ... }:
{
  config = {
    networking.firewall.allowedTCPPorts = [ 22 ];

    services.openssh.extraConfig = ''
      AuthorizedKeysCommand     /etc/ssh/ldap_authorized_keys
      AuthorizedKeysCommandUser nobody
      '';

    mySecrets.keys = [{
      dest = "ssh-ldap";
      user = "nobody";
      group = "nobody";
      permissions = "0400";
      text = myconfig.env.sshd.ldap.password;
    }];
    system.activationScripts.sshd = ''
      install -Dm400 -o nobody -g nobody -T /var/secrets/ssh-ldap /etc/ssh/ldap_password
      '';
    # ssh is strict about parent directory having correct rights, don't
    # move it in the nix store.
    environment.etc."ssh/ldap_authorized_keys" = let
      ldap_authorized_keys =
        mylibs.wrap {
          name = "ldap_authorized_keys";
          file = ./ldap_authorized_keys.sh;
          paths = [ pkgs.which pkgs.gitolite pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
        };
    in {
      enable = true;
      mode = "0755";
      user = "root";
      source = ldap_authorized_keys;
    };
  };
}