45 lines
1.3 KiB
Nix
45 lines
1.3 KiB
Nix
{ pkgs, ... }:
|
|
|
|
{
|
|
users.users.data = {
|
|
isNormalUser = true;
|
|
home = "/home/data";
|
|
description = "Data Access";
|
|
uid = 1000;
|
|
group = "users";
|
|
passwordFile = "/run/secrets/password_file";
|
|
};
|
|
users.users.readonly = {
|
|
isNormalUser = true;
|
|
home = "/home/readonly";
|
|
description = "Readonly data access";
|
|
uid = 1001;
|
|
group = "sftponly";
|
|
passwordFile = "/run/secrets/readonly_password_file";
|
|
};
|
|
users.groups.sftponly = { gid = 10000; };
|
|
environment.systemPackages = [ pkgs.rsync pkgs.mktorrent (pkgs.writeShellScriptBin "create_torrent" ". /run/secrets/create_torrent") ];
|
|
security.sudo.enable = false;
|
|
services.openssh = {
|
|
enable = true;
|
|
hostKeys = [
|
|
{ bits = 4096; path = "/run/secrets/ssh_host_rsa_key"; type = "rsa"; }
|
|
{ path = "/run/secrets/ssh_host_ed25519_key"; type = "ed25519"; }
|
|
];
|
|
settings = {
|
|
HostKeyAlgorithms = "+ssh-rsa";
|
|
PermitRootLogin = "no";
|
|
};
|
|
extraConfig = ''
|
|
Match group sftponly
|
|
X11Forwarding no
|
|
AllowTcpForwarding no
|
|
AllowAgentForwarding no
|
|
ForceCommand internal-sftp
|
|
Match user data
|
|
PasswordAuthentication no
|
|
KbdInteractiveAuthentication no
|
|
'';
|
|
authorizedKeysFiles = [ "/run/secrets/%u_authorized_keys" ];
|
|
};
|
|
}
|