From 86e8fe739755fb83e025bebe3bf1d2bfa6eb0bf6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Jane=C5=BEi=C4=8D?= <janezic.mj@gmail.com>
Date: Thu, 9 Apr 2026 09:59:27 +0200
Subject: [PATCH] feat: filedrop via sftp

---
 features/filedrop.nix | 42 ++++++++++++++++++++++++++++++++++++++++++
 features/gaming.nix   | 20 +++++++++++---------
 flake/hosts.nix       |  1 +
 secrets/floo.yaml     | 28 ++++++++++++++++++++++++++++
 4 files changed, 82 insertions(+), 9 deletions(-)
 create mode 100644 features/filedrop.nix
 create mode 100644 secrets/floo.yaml

diff --git a/features/filedrop.nix b/features/filedrop.nix
new file mode 100644
index 0000000..4cebf26
--- /dev/null
+++ b/features/filedrop.nix
@@ -0,0 +1,42 @@
+{
+  nixos =
+    { config, userKeys, ... }:
+    {
+      sops.secrets.filedrop-authorized-keys = {
+        sopsFile = ../secrets/floo.yaml;
+        mode = "0444";
+      };
+
+      users.groups.filedrop = {
+        members = [ "matej" ];
+      };
+
+      users.users.filedrop = {
+        isSystemUser = true;
+        group = "filedrop";
+        home = "/home/filedrop";
+        shell = "/run/current-system/sw/bin/nologin";
+        openssh.authorizedKeys.keys = userKeys.sshAuthorizedKeys;
+      };
+
+      # chroot dir must be root-owned; incoming is writable by filedrop
+      systemd.tmpfiles.rules = [
+        "d /home/filedrop 0755 root root -"
+        "d /home/filedrop/incoming 2775 filedrop filedrop -"
+        "a+ /home/filedrop/incoming - - - - group:filedrop:rwx"
+        "a+ /home/filedrop/incoming - - - - default:group:filedrop:rwx"
+        "a+ /home/filedrop/incoming - - - - default:mask::rwx"
+        "L /home/matej/filedrop - - - - /home/filedrop/incoming"
+      ];
+
+      # relaxed umask so default acl takes full effect
+      services.openssh.extraConfig = ''
+        Match User filedrop
+          ForceCommand internal-sftp -u 0002
+          ChrootDirectory /home/filedrop
+          AuthorizedKeysFile /etc/ssh/authorized_keys.d/filedrop %h/.ssh/authorized_keys ${config.sops.secrets.filedrop-authorized-keys.path}
+          AllowTcpForwarding no
+          X11Forwarding no
+      '';
+    };
+}
diff --git a/features/gaming.nix b/features/gaming.nix
index 80e1af6..feaf7e7 100644
--- a/features/gaming.nix
+++ b/features/gaming.nix
@@ -1,12 +1,14 @@
 {
-  nixos = {pkgs, ...} : {
-    programs.steam = {
-      enable = true;
-      remotePlay.openFirewall = true;
-      dedicatedServer.openFirewall = true;
-      localNetworkGameTransfers.openFirewall = true;
-    };
+  nixos =
+    { pkgs, ... }:
+    {
+      programs.steam = {
+        enable = true;
+        remotePlay.openFirewall = true;
+        dedicatedServer.openFirewall = true;
+        localNetworkGameTransfers.openFirewall = true;
+      };
 
-    environment.systemPackages = [ pkgs.prismlauncher ];
-  };
+      environment.systemPackages = [ pkgs.prismlauncher ];
+    };
 }
diff --git a/flake/hosts.nix b/flake/hosts.nix
index 93c0809..338fb59 100644
--- a/flake/hosts.nix
+++ b/flake/hosts.nix
@@ -96,6 +96,7 @@ in
         "shell"
         "tailscale"
         "remote-base"
+        "filedrop"
       ];
     };
 
diff --git a/secrets/floo.yaml b/secrets/floo.yaml
new file mode 100644
index 0000000..88ad860
--- /dev/null
+++ b/secrets/floo.yaml
@@ -0,0 +1,28 @@
+filedrop-authorized-keys: ENC[AES256_GCM,data:3zg0ZZR/EfmffhT+5hiiCawhHW0Y8VOcsMRwPq50AgSvM8DJO/fOK5RhPMlHmOOXSbYYal9QoPILP5rSHDMszk6QSRqmvAbpkpJhgfW4jx8XbLTFxO4lUKe/hd968ryqP2pXtZzUBnOp4vSI29LcYms6e8fSwS8ANtSIjCLkEsY=,iv:EOjsWB7uxjqI5NXot586Q0997SOmkAMwVkxm6VLplDc=,tag:Q4rB6KFibV+F79/rs5m0dA==,type:str]
+sops:
+    age:
+        - recipient: age1hksdq2lc89thnpth49sw44f0pmkp950plrhhnttj4petvnfy04tsydz6fl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTRk1qOGNGNFp4VS9GOUs0
+            dTQ0K3A2Y3VXY3NSV0RyU0VxV3VCa0dDOG5zClAvOElXcHhYaWNCamxFZHMvV2Iy
+            WFRwNFRjaHpKSDdkak5UK05hd0hYMFUKLS0tIGRQeVJGdk8vYVdQdS9BYVd3TEhn
+            UWxzeHlaY2pvdS9tbW9vaVE5NTNwRFEKKieIA5Sn6oN5qjDwh5/usaKwLdYPClmS
+            d+hBdcn4/mtQnrm9dnbRVHd/B1MOuQxoXEB1kc4nzFKvCEqRdRIlYQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-09T08:57:26Z"
+    mac: ENC[AES256_GCM,data:XHC5cBvQuDi9byVgDymx9qSbplDlHwFTSLaGfWTRQJZeioBelDgBwUstbgWDeNPj1RzGGaSa3+kDOa054DuXi/mw2nDnLGuQDFAmJ66kepJE1mw4F6i4+YnbSE+y7GTbTkUkvbmiNV7uGO4Fq9jy/gNb1wq3IHzDVaKNjNbkKAk=,iv:qK/tgbAkxGpfgJAjBrqDwO/lVkD79pY9S3hzXGGycvM=,tag:oHURU988sW4iN7fXwurOtQ==,type:str]
+    pgp:
+        - created_at: "2026-04-09T08:55:59Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DPaEEpDtHdk8SAQdATk1lN0/WDX6S1oPje9jZloSll1qSNau3zgt67CrselMw
+            YlbenxVeY8G4qTvfimX9/qH1/SNHkL/B0jqMCEkw8EpeyA3oEIWuzEEEOA+W/Iri
+            0lwB26CTd8PKwvjuMwmvzTaZfQ9fk+ZsvIjtQaj//WA2utfU4b9T2E+M2Jb5vyki
+            INcWT4PJkNSDxm5NabcTqyetcorDGaU1oN/T1p7pvRBvGCSHItYthVvq/RC0bw==
+            =pKJc
+            -----END PGP MESSAGE-----
+          fp: AF349EECC849D87B790E88FF6318FFB7DB374B7D
+    unencrypted_suffix: _unencrypted
+    version: 3.12.2