diff --git a/paris-container.nix b/paris-container.nix
index c38245c..b22592a 100644
--- a/paris-container.nix
+++ b/paris-container.nix
@@ -35,6 +35,12 @@ in {
       default = [ ];
     };
 
+    nixos-modules = mkOption {
+      type = listOf package;
+      default = [ ];
+      description = "NixOS modules to add to Paris.";
+    };
+
     kerberos = mkOption {
       type = nullOr (submodule {
         options = {
@@ -62,7 +68,7 @@ in {
       port = mkOption {
         type = port;
         description = "Port on which to listen for LDAP requests.";
-        default = 4389;
+        default = 4636;
       };
 
       access-group = mkOption {
@@ -233,7 +239,7 @@ in {
       image = cfg.ldap.image;
       autoStart = true;
       ports =
-        map (ip: "${ip}:${toString cfg.ldap.port}:3389") cfg.ldap.listen-ips;
+        map (ip: "${ip}:${toString cfg.ldap.port}:6636") cfg.ldap.listen-ips;
       environmentFiles = [ hostSecrets.parisLdapEnv.target-file ];
     };
 
@@ -281,7 +287,10 @@ in {
           '';
         };
 
-        security.pam.krb5.enable = true;
+        security.pam = {
+          krb5.enable = true;
+          services.sshd.makeHomeDir = true;
+        };
 
         krb5 = mkIf (!isNull cfg.kerberos) {
           enable = true;
@@ -295,6 +304,7 @@ in {
           openssh = {
             enable = true;
             startWhenNeeded = true;
+            permiitRootLogin = "no";
             hostKeys = map (keypair: {
               path = "/run/openssh/keys/${keypairFilename keypair}";
               type = keypair.key-type;
@@ -351,6 +361,8 @@ in {
 
                 ldap_default_bind_dn = cfg.ldap.bind-dn;
                 ldap_default_authtok = "$LDAP_DEFAULT_AUTHTOKEN";
+
+                ldap_tls_reqcert = "allow";
               };
             };
           };