From 0b87d62f7ad2368d3fa83afea31714c3bde17f3f Mon Sep 17 00:00:00 2001
From: Infinidoge <infinidoge@inx.moe>
Date: Sun, 23 Jun 2024 00:36:11 -0400
Subject: [PATCH] Infini-DL360: add incoming chroot user

---
 hosts/Infini-DL360/default.nix | 25 +++++++++++++++++++++++++
 modules/global/ssh.nix         |  1 +
 users/infinidoge/default.nix   |  1 +
 3 files changed, 27 insertions(+)

diff --git a/hosts/Infini-DL360/default.nix b/hosts/Infini-DL360/default.nix
index 580719c..6aef8f4 100644
--- a/hosts/Infini-DL360/default.nix
+++ b/hosts/Infini-DL360/default.nix
@@ -111,4 +111,29 @@
       ${tmux} -S /run/minecraft/sister-server.sock send-keys "say Backup complete" Enter
     '';
   };
+
+  users.users.incoming = {
+    description = "User for incoming files with a chroot jail";
+    isSystemUser = true;
+    group = "incoming";
+  };
+  users.groups.incoming = { };
+
+  systemd.tmpfiles.settings."30-external" = {
+    "/srv/external".d = { user = "root"; group = "root"; };
+    "/srv/external/incoming".d = { user = "incoming"; group = "incoming"; mode = "0770"; };
+  };
+
+  # https://enotacoes.wordpress.com/2021/10/05/limiting-user-to-sshfs-or-sftp-of-one-directory-only/
+  # https://github.com/NixOS/nixpkgs/blob/d603719ec6e294f034936c0d0dc06f689d91b6c3/nixos/modules/services/networking/ssh/sshd.nix#L663
+  services.openssh.extraConfig = ''
+    Match user incoming
+      AuthorizedKeysFile /etc/ssh/authorized_keys.d/infinidoge /etc/ssh/authorized_keys.d/%u
+      ChrootDirectory /srv/external
+      ForceCommand ${config.services.openssh.sftpServerExecutable} -d incoming -u 007
+      X11Forwarding no
+      AllowTcpForwarding no
+      KbdInteractiveAuthentication no
+      PasswordAuthentication no
+  '';
 }
diff --git a/modules/global/ssh.nix b/modules/global/ssh.nix
index 9443061..9d55b40 100644
--- a/modules/global/ssh.nix
+++ b/modules/global/ssh.nix
@@ -5,6 +5,7 @@ with lib;
   services.openssh = {
     enable = true;
     openFirewall = mkDefault true;
+    sftpServerExecutable = "internal-sftp";
     settings = {
       X11Forwarding = mkDefault false;
       GatewayPorts = mkDefault "yes";
diff --git a/users/infinidoge/default.nix b/users/infinidoge/default.nix
index 6970b72..9424e0d 100644
--- a/users/infinidoge/default.nix
+++ b/users/infinidoge/default.nix
@@ -120,6 +120,7 @@ in
       "docker"
       "factorio"
       "forgejo"
+      "incoming"
       "jellyfin"
       "libvirtd"
       "minecraft"