{
  nixos =
    { config, userKeys, ... }:
    {
      sops.secrets.filedrop-authorized-keys = {
        sopsFile = ../secrets/floo.yaml;
        mode = "0444";
      };

      users.groups.filedrop = {
        members = [ "matej" ];
      };

      users.users.filedrop = {
        isSystemUser = true;
        group = "filedrop";
        home = "/home/filedrop";
        shell = "/run/current-system/sw/bin/nologin";
        openssh.authorizedKeys = {
          keys = userKeys.sshAuthorizedKeys;
          keyFiles = [
            config.sops.secrets.filedrop-authorized-keys.path
          ];
        };
      };

      # chroot dir must be root-owned; incoming is writable by filedrop
      systemd.tmpfiles.rules = [
        "d /home/filedrop 0755 root root -"
        "d /home/filedrop/incoming 2775 filedrop filedrop -"
        "a+ /home/filedrop/incoming - - - - group:filedrop:rwx"
        "a+ /home/filedrop/incoming - - - - default:group:filedrop:rwx"
        "a+ /home/filedrop/incoming - - - - default:mask::rwx"
        "L /home/matej/filedrop - - - - /home/filedrop/incoming"
      ];

      # relaxed umask so default acl takes full effect
      services.openssh.extraConfig = ''
        Match User filedrop
          ForceCommand internal-sftp -u 0002
          ChrootDirectory /home/filedrop
          AllowTcpForwarding no
          X11Forwarding no
      '';
    };
}