feat: filedrop via sftp

2026-04-09 09:59:27 +02:00
parent 0fa91d4f40
commit 86e8fe7397
4 changed files with 82 additions and 9 deletions
--- a/features/filedrop.nix
+++ b/features/filedrop.nix
@@ -0,0 +1,42 @@
+{
+  nixos =
+    { config, userKeys, ... }:
+    {
+      sops.secrets.filedrop-authorized-keys = {
+        sopsFile = ../secrets/floo.yaml;
+        mode = "0444";
+      };
+
+      users.groups.filedrop = {
+        members = [ "matej" ];
+      };
+
+      users.users.filedrop = {
+        isSystemUser = true;
+        group = "filedrop";
+        home = "/home/filedrop";
+        shell = "/run/current-system/sw/bin/nologin";
+        openssh.authorizedKeys.keys = userKeys.sshAuthorizedKeys;
+      };
+
+      # chroot dir must be root-owned; incoming is writable by filedrop
+      systemd.tmpfiles.rules = [
+        "d /home/filedrop 0755 root root -"
+        "d /home/filedrop/incoming 2775 filedrop filedrop -"
+        "a+ /home/filedrop/incoming - - - - group:filedrop:rwx"
+        "a+ /home/filedrop/incoming - - - - default:group:filedrop:rwx"
+        "a+ /home/filedrop/incoming - - - - default:mask::rwx"
+        "L /home/matej/filedrop - - - - /home/filedrop/incoming"
+      ];
+
+      # relaxed umask so default acl takes full effect
+      services.openssh.extraConfig = ''
+        Match User filedrop
+          ForceCommand internal-sftp -u 0002
+          ChrootDirectory /home/filedrop
+          AuthorizedKeysFile /etc/ssh/authorized_keys.d/filedrop %h/.ssh/authorized_keys ${config.sops.secrets.filedrop-authorized-keys.path}
+          AllowTcpForwarding no
+          X11Forwarding no
+      '';
+    };
+}
--- a/features/gaming.nix
+++ b/features/gaming.nix
@@ -1,12 +1,14 @@
 {
-  nixos = {pkgs, ...} : {
-    programs.steam = {
-      enable = true;
-      remotePlay.openFirewall = true;
-      dedicatedServer.openFirewall = true;
-      localNetworkGameTransfers.openFirewall = true;
-    };
+  nixos =
+    { pkgs, ... }:
+    {
+      programs.steam = {
+        enable = true;
+        remotePlay.openFirewall = true;
+        dedicatedServer.openFirewall = true;
+        localNetworkGameTransfers.openFirewall = true;
+      };

-    environment.systemPackages = [ pkgs.prismlauncher ];
-  };
+      environment.systemPackages = [ pkgs.prismlauncher ];
+    };
 }