{
  nixos = _: {
    users.groups.filedrop = {
      members = [ "matej" ];
    };

    users.users.filedrop = {
      isSystemUser = true;
      group = "filedrop";
      home = "/home/filedrop";
      shell = "/run/current-system/sw/bin/nologin";
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB9R5UycluqUZBfK0X+l7JTUqnM/0GFFmVijKfj2cbE3 tilenmarc"
      ];
    };

    # chroot dir must be root-owned; incoming is writable by filedrop
    systemd.tmpfiles.rules = [
      "d /home/filedrop 0755 root root -"
      "d /home/filedrop/incoming 0775 filedrop filedrop -"
      "L /home/matej/filedrop - - - - /home/filedrop/incoming"
    ];

    services.openssh.extraConfig = ''
      Match User filedrop
        ForceCommand internal-sftp
        ChrootDirectory /home/filedrop
        AllowTcpForwarding no
        X11Forwarding no
    '';
  };
}