wip

features/filedrop.nix

@@ -0,0 +1,32 @@
+{
+  nixos = _: {
+    users.groups.filedrop = {
+      members = [ "matej" ];
+    };
+
+    users.users.filedrop = {
+      isSystemUser = true;
+      group = "filedrop";
+      home = "/home/filedrop";
+      shell = "/run/current-system/sw/bin/nologin";
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB9R5UycluqUZBfK0X+l7JTUqnM/0GFFmVijKfj2cbE3 tilenmarc"
+      ];
+    };
+
+    # chroot dir must be root-owned; incoming is writable by filedrop
+    systemd.tmpfiles.rules = [
+      "d /home/filedrop 0755 root root -"
+      "d /home/filedrop/incoming 0775 filedrop filedrop -"
+      "L /home/matej/filedrop - - - - /home/filedrop/incoming"
+    ];
+
+    services.openssh.extraConfig = ''
+      Match User filedrop
+        ForceCommand internal-sftp
+        ChrootDirectory /home/filedrop
+        AllowTcpForwarding no
+        X11Forwarding no
+    '';
+  };
+}

features/gaming.nix

@@ -1,5 +1,7 @@
 {
-  nixos = {pkgs, ...} : {
+  nixos =
+    { pkgs, ... }:
+    {
       programs.steam = {
         enable = true;
         remotePlay.openFirewall = true;

flake/hosts.nix

@@ -96,6 +96,7 @@ in
         "shell"
         "tailscale"
         "remote-base"
+        "filedrop"
       ];
     };