From e71ae589e0d8968e01cfaf7b69eaa8218d329311 Mon Sep 17 00:00:00 2001
From: Charlotte Van Petegem <charlotte.vanpetegem@ugent.be>
Date: Fri, 3 Jun 2022 21:02:37 +0200
Subject: [PATCH] Add readonly sftponly data access account

---
 modules/services/data-access/config.nix       |  16 +++++++++++++++-
 modules/services/data-access/default.nix      |  18 +++++++++++++++++-
 secrets.nix                                   |   2 ++
 .../data-access/readonly_authorized_keys.age  | Bin 0 -> 922 bytes
 .../data-access/readonly_password_file.age    | Bin 0 -> 575 bytes
 5 files changed, 34 insertions(+), 2 deletions(-)
 create mode 100644 secrets/data-access/readonly_authorized_keys.age
 create mode 100644 secrets/data-access/readonly_password_file.age

diff --git a/modules/services/data-access/config.nix b/modules/services/data-access/config.nix
index 7b923018..1d1b4f1a 100644
--- a/modules/services/data-access/config.nix
+++ b/modules/services/data-access/config.nix
@@ -9,6 +9,15 @@
     group = "users";
     passwordFile = "/run/secrets/password_file";
   };
+  users.users.readonly = {
+    isNormalUser = true;
+    home = "/home/readonly";
+    description = "Readonly data access";
+    uid = 1001;
+    group = "sftponly";
+    passwordFile = "/run/secrets/readonly_password_file";
+  };
+  users.groups.sftponly = { gid = 10000; };
   environment.systemPackages = [ pkgs.rsync pkgs.mktorrent (pkgs.writeShellScriptBin "create_torrent" ". /run/secrets/create_torrent") ];
   security.sudo.enable = false;
   services.openssh = {
@@ -20,7 +29,12 @@
     ];
     extraConfig = ''
       HostKeyAlgorithms +ssh-rsa
+      Match group sftponly
+          X11Forwarding no
+          AllowTcpForwarding no
+          AllowAgentForwarding no
+          ForceCommand internal-sftp
     '';
-    authorizedKeysFiles = [ "/run/secrets/authorized_keys" ];
+    authorizedKeysFiles = [ "/run/secrets/%u_authorized_keys" ];
   };
 }
diff --git a/modules/services/data-access/default.nix b/modules/services/data-access/default.nix
index bf015c21..20d03f4e 100644
--- a/modules/services/data-access/default.nix
+++ b/modules/services/data-access/default.nix
@@ -40,6 +40,10 @@
           hostPath = "/srv/data";
           isReadOnly = false;
         };
+        "/home/readonly/data" = {
+          hostPath = "/srv/data";
+          isReadOnly = true;
+        };
         "/run/secrets" = {
           hostPath = "/run/data-access";
           isReadOnly = true;
@@ -86,10 +90,22 @@
       path = "/run/data-access/password_file";
       symlink = false;
     };
+    age.secrets."data-access/readonly_password_file" = {
+      file = ../../../secrets/data-access/readonly_password_file.age;
+      path = "/run/data-access/readonly_password_file";
+      symlink = false;
+    };
     age.secrets."data-access/authorized_keys" = {
       file = ../../../secrets/data-access/authorized_keys.age;
       owner = "charlotte";
-      path = "/run/data-access/authorized_keys";
+      path = "/run/data-access/data_authorized_keys";
+      symlink = false;
+    };
+    age.secrets."data-access/readonly_authorized_keys" = {
+      file = ../../../secrets/data-access/readonly_authorized_keys.age;
+      owner = "1001";
+      group = "65534";
+      path = "/run/data-access/readonly_authorized_keys";
       symlink = false;
     };
     age.secrets."data-access/create_torrent" = {
diff --git a/secrets.nix b/secrets.nix
index 29c203fc..449ebeeb 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -82,5 +82,7 @@ in
   "secrets/data-access/ssh_host_ed25519_key.pub.age".publicKeys = [ urithiru ] ++ users;
   "secrets/data-access/authorized_keys.age".publicKeys = [ urithiru ] ++ users;
   "secrets/data-access/password_file.age".publicKeys = [ urithiru ] ++ users;
+  "secrets/data-access/readonly_authorized_keys.age".publicKeys = [ urithiru ] ++ users;
+  "secrets/data-access/readonly_password_file.age".publicKeys = [ urithiru ] ++ users;
   "secrets/data-access/create_torrent.age".publicKeys = [ urithiru ] ++ users;
 }
diff --git a/secrets/data-access/readonly_authorized_keys.age b/secrets/data-access/readonly_authorized_keys.age
new file mode 100644
index 0000000000000000000000000000000000000000..dc931377b0b87ee45930bdad68f353d1039514ef
GIT binary patch
literal 922
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT)3`lcz3RK7sElPFF
z4li{sE^*4raSRGADRhcRGBM0F(9ZNV4XCh;ayBwgbj_-$GT}-p2q^GQud>X~NXafU
zH_i?=t2Fb^EG!Bz4-KzKt2C-|4>u|g3-d0^4n()D*s>_eB3&V(%+T8;vs}N}KQPD9
z!{6H}%hfN{GNY>8w=5+kC)vZzATuJ&xvIc8u$(Kg(6czyz_g+)BQra~!ztf0IUv}y
z%GIU7xi~mABGSV(QQs^l%qQ3&EF0an%ET0tut0@0ZMU)vV?P&DQ#T(+x5&JblCV<m
z;8KsEC_~HO-0<9RztWOSzW|Gh3Ii@n(@0O_K$n0l*F2x#NJIaWg7V~uyaEf8Jkv0j
zBH!{<cQ1eE(2_h;_k56T3A*V;sfop@3SnGfDFIGF<tbUYX2ym7Mq#<mX4+|G`gumd
zQEA%d`fgtNrcQ=QK1L;l<y^YDx(dZ%W%*ud9<EXDAxR-Vh2`m~7K!d2X&%m*-X^BS
z+M#|HMLAKKX1PHIkz7IiTpKc(^0r#9+_v9Ixv6_%-QuW<r{`6~tdjZ{NhKaUwDpL5
z{@Uq*A9>`uzMkx3a8SP#l=~x9l{?1%K$akzol(&3HIFv1iJNN9XItQy`?JSx;wi0Q
zd6%zpwo9hno3?!B!8d2mM0<Zt{Aw*3sB@rNlg;C&6wCI8vrZRQtmt1~FezxcMBB`r
zTa<d|NHu;sD;wy&`DKEy$){yO_HL^8{sxtXUFG^)TI#vw@|wVcpnUHq^Yrsr4_n;*
zQLEW<a=v@r8RjG*p##aQuWnm1W6meb8_!=J6}Vl$VDqV3BL<$x%CC8L-Vth%QX*j&
z{SL2qVB=>lp5HHGWpXC)_J&*Ts(+p^KRa?FS8dxVp{MdYKc2kW-4j_MbYsIkZ{a(;
z<{9pHfBt>}%Ommg$`OyQxYRMP|L`o=s<BAL>r(30)(saHtuwoBWH@2|c}EV#Lx0!&
zbSt{NOsTPGWu@5fe+GG5#8<t4;eR|}QYzP<7iDSoV)_F45vtjzdYE-1c!h#I-rPv5
z3A{6HgXK@3*Wxx)%c34AT#MKn;1YW0$Ei@iwoA5E!o{<;e@&>rvveA7*Hs1o2J;6(
o=Q-rtKCd!9WAJNPkDJK#sI3dMy{A3+TDs_t^{?bQ>$|I20M(y&iU0rr

literal 0
HcmV?d00001

diff --git a/secrets/data-access/readonly_password_file.age b/secrets/data-access/readonly_password_file.age
new file mode 100644
index 0000000000000000000000000000000000000000..ad2caabb90599177e2dff1b46d23aa1d45d1c0c0
GIT binary patch
literal 575
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT)3`lcz3RI}@DsZ*%
zEAmXw4vEUM4DfQzjtU4eG_a^BF$)YS@-h!j^(i+EiU_lCx8SmL2?{XOukb4_O)2zt
zONlaz%5({_$gMIo$_vyEN{(`Niiq$`4ls{QG(fkl*s>_eB3+>>F)5(H-Py>^Slg(i
z!qUkjFw`;IHQ6nzIJlxX)l%D{(6hX>IMOZ6wU{fg$ivUe-!Z~BGCi;&GB?dNKfBPW
z!Z|P}#3J1>E59NwHzOe5FTKRjFB#po%ET0tus{V<^TIMu53f`g6W`1{(?UZ7mmu$S
zGwrk_uiOfwfRLP=@QSM7)R2s<U<0lk&k7?ClhV>+?Hq5zu;QYsveMFmAkz{vpU6P(
z2)CSosBqT`i>j1BpFogp>bmJgsfop@3NBn;u7OqNiHQN>g+?A>u0@V1Muo}lrcoXt
z9(hTwS>?Vy+CCwU>E+%PF1~&iu1UVBzM+Qxj$FFBx(WeaVJ^Nt`sNnNMI{z_sYV&O
zg?<6vmPUmp<|YN91&+y?PEM|diQ(pEo?OwZpLEUWS)-)3U%qOsysUHs;~M?T*Xqyp
zwH4_b$ds;Y<;~b$?$^Ee#a4C2l>dr%?K`G3?>3(2X)|Nz%{!mpEDf3PSnreN)_+=M
nb6!8W{fXh8ytLMmv|YPb$Ovu>of-I`_L7TN8sp3V>(>APGS$i#

literal 0
HcmV?d00001