Don't launch if it's not enabled

paris-container.nix

@@ -25,6 +25,12 @@ in {
       default = [ ];
     };
 
+    ssh-keys = mkOption {
+      type = listOf str;
+      description = "List of SSH keys to use.";
+      default = [ ];
+    };
+
     ldap = {
       image = mkOption {
         type = str;
@@ -126,7 +132,7 @@ in {
     };
   };
 
-  config = {
+  config = mkIf cfg.enable {
     systemd.tmpfiles.rules =
       [ "d ${cfg.state-directory}/home 0700 root root - -" ];
 
@@ -168,48 +174,61 @@ in {
 
         environment.systemPackages = packages;
 
-        services.sssd = {
+        services = {
-          enable = true;
+          opensssh = {
-          kcm = true;
+            enable = true;
-          environmentFile = hostSecrets.parisSssdEnv.target-file;
+            startWhenNeeded = true;
-          config = lib.generators.toINI { } {
+            hostKeys = FIXME;
-            sssd = {
+            settings = {
-              config_file_version = 2;
+              UseDns = true;
-              reconnection_retries = 3;
+              PermitRootLogin = "no";
-              sbus_timeout = 30;
-              services = concatStringsSep " " [ "nss" "pam" "ssh" ];
-              domains = concatStringsSep " " [ cfg.ldap.domain ];
             };
+          };
 
-            pam = { reconnection_retries = 3; };
+          sssd = {
+            enable = true;
+            kcm = true;
+            environmentFile = hostSecrets.parisSssdEnv.target-file;
+            config = lib.generators.toINI { } {
+              sssd = {
+                config_file_version = 2;
+                reconnection_retries = 3;
+                sbus_timeout = 30;
+                services = concatStringsSep " " [ "nss" "pam" "ssh" ];
+                domains = concatStringsSep " " [ cfg.ldap.domain ];
+              };
 
-            nss = {
+              pam = { reconnection_retries = 3; };
-              filter_groups = "root";
-              filter_users = "root";
-              reconnection_retries = 3;
-            };
 
-            "domain/${cfg.ldap.domain}" = {
+              nss = {
-              cache_credentials = true;
+                filter_groups = "root";
-              id_provider = "ldap";
+                filter_users = "root";
-              chpass_provider = "ldap";
+                reconnection_retries = 3;
-              auth_provider = "ldap";
+              };
-              access_provider = "ldap";
 
-              ldap_uri = "ldap://localhost:${toString cfg.ldap.port}";
+              "domain/${cfg.ldap.domain}" = {
-              ldap_schema = "rfc2307bis";
+                cache_credentials = true;
+                id_provider = "ldap";
+                chpass_provider = "ldap";
+                auth_provider = "ldap";
+                access_provider = "ldap";
 
-              ldap_search_base = cfg.ldap.base;
+                ldap_uri = "ldap://localhost:${toString cfg.ldap.port}";
-              ldap_user_search_base = "${cfg.ldap.user-ou},${cfg.ldap.base}";
+                ldap_schema = "rfc2307bis";
-              ldap_group_search_base = "${cfg.ldap.group-ou},${cfg.ldap.base}";
 
-              ladp_user_object_class = "user";
+                ldap_search_base = cfg.ldap.base;
-              ldap_user_cn = "cn";
+                ldap_user_search_base = "${cfg.ldap.user-ou},${cfg.ldap.base}";
-              ldap_group_object_class = "group";
+                ldap_group_search_base =
-              ldap_group_name = "cn";
+                  "${cfg.ldap.group-ou},${cfg.ldap.base}";
 
-              ldap_default_bind_dn = cfg.ldap.bind-dn;
+                ladp_user_object_class = "user";
-              ldap_default_authtok = "$LDAP_DEFAULT_AUTHTOKEN";
+                ldap_user_cn = "cn";
+                ldap_group_object_class = "group";
+                ldap_group_name = "cn";
+
+                ldap_default_bind_dn = cfg.ldap.bind-dn;
+                ldap_default_authtok = "$LDAP_DEFAULT_AUTHTOKEN";
+              };
             };
           };
         };