{ pkgs, lib, config, ... }: with lib; { nixpkgs.overlays = [ (self: super: { openssh = super.openssh.overrideAttrs (final: prev: { patches = prev.patches ++ [ ../../patches/openssh-keysign-check-remove.patch ]; }); }) ]; programs.ssh = { extraConfig = '' EnableSSHKeysign yes Host node-*.${config.networking.domain} node-* HostbasedAuthentication yes ''; }; security.wrappers."ssh-keysign" = { source = "${pkgs.openssh}/libexec/ssh-keysign"; setuid = true; owner = "root"; group = "root"; }; users.users."root".packages = [ (pkgs.callPackage ../../packages/usermgr { }) ]; }