Infini-DL360: add incoming chroot user

2024-06-23 00:36:11 -04:00 · 2024-06-23 00:36:11 -04:00 · 0b87d62f7a
commit 0b87d62f7a
parent c8752ac2fb
3 changed files with 27 additions and 0 deletions
--- a/hosts/Infini-DL360/default.nix
+++ b/hosts/Infini-DL360/default.nix
@ -111,4 +111,29 @@
      ${tmux} -S /run/minecraft/sister-server.sock send-keys "say Backup complete" Enter
    '';
  };
+
+  users.users.incoming = {
+    description = "User for incoming files with a chroot jail";
+    isSystemUser = true;
+    group = "incoming";
+  };
+  users.groups.incoming = { };
+
+  systemd.tmpfiles.settings."30-external" = {
+    "/srv/external".d = { user = "root"; group = "root"; };
+    "/srv/external/incoming".d = { user = "incoming"; group = "incoming"; mode = "0770"; };
+  };
+
+  # https://enotacoes.wordpress.com/2021/10/05/limiting-user-to-sshfs-or-sftp-of-one-directory-only/
+  # https://github.com/NixOS/nixpkgs/blob/d603719ec6e294f034936c0d0dc06f689d91b6c3/nixos/modules/services/networking/ssh/sshd.nix#L663
+  services.openssh.extraConfig = ''
+    Match user incoming
+      AuthorizedKeysFile /etc/ssh/authorized_keys.d/infinidoge /etc/ssh/authorized_keys.d/%u
+      ChrootDirectory /srv/external
+      ForceCommand ${config.services.openssh.sftpServerExecutable} -d incoming -u 007
+      X11Forwarding no
+      AllowTcpForwarding no
+      KbdInteractiveAuthentication no
+      PasswordAuthentication no
+  '';
 }
--- a/modules/global/ssh.nix
+++ b/modules/global/ssh.nix
@ -5,6 +5,7 @@ with lib;
  services.openssh = {
    enable = true;
    openFirewall = mkDefault true;
+    sftpServerExecutable = "internal-sftp";
    settings = {
      X11Forwarding = mkDefault false;
      GatewayPorts = mkDefault "yes";
--- a/users/infinidoge/default.nix
+++ b/users/infinidoge/default.nix
@ -120,6 +120,7 @@ in
      "docker"
      "factorio"
      "forgejo"
+      "incoming"
      "jellyfin"
      "libvirtd"
      "minecraft"