From 426ca2f9c311eabf3d74c48511653d892736533e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Jane=C5=BEi=C4=8D?= <janezic.mj@gmail.com>
Date: Thu, 9 Apr 2026 09:59:27 +0200
Subject: [PATCH] wip

---
 features/filedrop.nix | 32 ++++++++++++++++++++++++++++++++
 features/gaming.nix   | 20 +++++++++++---------
 flake/hosts.nix       |  1 +
 3 files changed, 44 insertions(+), 9 deletions(-)
 create mode 100644 features/filedrop.nix

diff --git a/features/filedrop.nix b/features/filedrop.nix
new file mode 100644
index 0000000..330bcaf
--- /dev/null
+++ b/features/filedrop.nix
@@ -0,0 +1,32 @@
+{
+  nixos = _: {
+    users.groups.filedrop = {
+      members = [ "matej" ];
+    };
+
+    users.users.filedrop = {
+      isSystemUser = true;
+      group = "filedrop";
+      home = "/home/filedrop";
+      shell = "/run/current-system/sw/bin/nologin";
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB9R5UycluqUZBfK0X+l7JTUqnM/0GFFmVijKfj2cbE3 tilenmarc"
+      ];
+    };
+
+    # chroot dir must be root-owned; incoming is writable by filedrop
+    systemd.tmpfiles.rules = [
+      "d /home/filedrop 0755 root root -"
+      "d /home/filedrop/incoming 0775 filedrop filedrop -"
+      "L /home/matej/filedrop - - - - /home/filedrop/incoming"
+    ];
+
+    services.openssh.extraConfig = ''
+      Match User filedrop
+        ForceCommand internal-sftp
+        ChrootDirectory /home/filedrop
+        AllowTcpForwarding no
+        X11Forwarding no
+    '';
+  };
+}
diff --git a/features/gaming.nix b/features/gaming.nix
index 80e1af6..feaf7e7 100644
--- a/features/gaming.nix
+++ b/features/gaming.nix
@@ -1,12 +1,14 @@
 {
-  nixos = {pkgs, ...} : {
-    programs.steam = {
-      enable = true;
-      remotePlay.openFirewall = true;
-      dedicatedServer.openFirewall = true;
-      localNetworkGameTransfers.openFirewall = true;
-    };
+  nixos =
+    { pkgs, ... }:
+    {
+      programs.steam = {
+        enable = true;
+        remotePlay.openFirewall = true;
+        dedicatedServer.openFirewall = true;
+        localNetworkGameTransfers.openFirewall = true;
+      };
 
-    environment.systemPackages = [ pkgs.prismlauncher ];
-  };
+      environment.systemPackages = [ pkgs.prismlauncher ];
+    };
 }
diff --git a/flake/hosts.nix b/flake/hosts.nix
index 93c0809..338fb59 100644
--- a/flake/hosts.nix
+++ b/flake/hosts.nix
@@ -96,6 +96,7 @@ in
         "shell"
         "tailscale"
         "remote-base"
+        "filedrop"
       ];
     };