diff --git a/modules/services/data-access/config.nix b/modules/services/data-access/config.nix
index 7b923018..1d1b4f1a 100644
--- a/modules/services/data-access/config.nix
+++ b/modules/services/data-access/config.nix
@@ -9,6 +9,15 @@
     group = "users";
     passwordFile = "/run/secrets/password_file";
   };
+  users.users.readonly = {
+    isNormalUser = true;
+    home = "/home/readonly";
+    description = "Readonly data access";
+    uid = 1001;
+    group = "sftponly";
+    passwordFile = "/run/secrets/readonly_password_file";
+  };
+  users.groups.sftponly = { gid = 10000; };
   environment.systemPackages = [ pkgs.rsync pkgs.mktorrent (pkgs.writeShellScriptBin "create_torrent" ". /run/secrets/create_torrent") ];
   security.sudo.enable = false;
   services.openssh = {
@@ -20,7 +29,12 @@
     ];
     extraConfig = ''
       HostKeyAlgorithms +ssh-rsa
+      Match group sftponly
+          X11Forwarding no
+          AllowTcpForwarding no
+          AllowAgentForwarding no
+          ForceCommand internal-sftp
     '';
-    authorizedKeysFiles = [ "/run/secrets/authorized_keys" ];
+    authorizedKeysFiles = [ "/run/secrets/%u_authorized_keys" ];
   };
 }
diff --git a/modules/services/data-access/default.nix b/modules/services/data-access/default.nix
index bf015c21..20d03f4e 100644
--- a/modules/services/data-access/default.nix
+++ b/modules/services/data-access/default.nix
@@ -40,6 +40,10 @@
           hostPath = "/srv/data";
           isReadOnly = false;
         };
+        "/home/readonly/data" = {
+          hostPath = "/srv/data";
+          isReadOnly = true;
+        };
         "/run/secrets" = {
           hostPath = "/run/data-access";
           isReadOnly = true;
@@ -86,10 +90,22 @@
       path = "/run/data-access/password_file";
       symlink = false;
     };
+    age.secrets."data-access/readonly_password_file" = {
+      file = ../../../secrets/data-access/readonly_password_file.age;
+      path = "/run/data-access/readonly_password_file";
+      symlink = false;
+    };
     age.secrets."data-access/authorized_keys" = {
       file = ../../../secrets/data-access/authorized_keys.age;
       owner = "charlotte";
-      path = "/run/data-access/authorized_keys";
+      path = "/run/data-access/data_authorized_keys";
+      symlink = false;
+    };
+    age.secrets."data-access/readonly_authorized_keys" = {
+      file = ../../../secrets/data-access/readonly_authorized_keys.age;
+      owner = "1001";
+      group = "65534";
+      path = "/run/data-access/readonly_authorized_keys";
       symlink = false;
     };
     age.secrets."data-access/create_torrent" = {
diff --git a/secrets.nix b/secrets.nix
index 29c203fc..449ebeeb 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -82,5 +82,7 @@ in
   "secrets/data-access/ssh_host_ed25519_key.pub.age".publicKeys = [ urithiru ] ++ users;
   "secrets/data-access/authorized_keys.age".publicKeys = [ urithiru ] ++ users;
   "secrets/data-access/password_file.age".publicKeys = [ urithiru ] ++ users;
+  "secrets/data-access/readonly_authorized_keys.age".publicKeys = [ urithiru ] ++ users;
+  "secrets/data-access/readonly_password_file.age".publicKeys = [ urithiru ] ++ users;
   "secrets/data-access/create_torrent.age".publicKeys = [ urithiru ] ++ users;
 }
diff --git a/secrets/data-access/readonly_authorized_keys.age b/secrets/data-access/readonly_authorized_keys.age
new file mode 100644
index 00000000..dc931377
Binary files /dev/null and b/secrets/data-access/readonly_authorized_keys.age differ
diff --git a/secrets/data-access/readonly_password_file.age b/secrets/data-access/readonly_password_file.age
new file mode 100644
index 00000000..ad2caabb
Binary files /dev/null and b/secrets/data-access/readonly_password_file.age differ