From 9cbc3af51aed9db9ed564da27988e59c40e6a004 Mon Sep 17 00:00:00 2001
From: Infinidoge <infinidoge@inx.moe>
Date: Thu, 18 Jul 2024 18:20:56 -0400
Subject: [PATCH] Infini-DL360: add ssh jump user

---
 hosts/Infini-DL360/default.nix | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/hosts/Infini-DL360/default.nix b/hosts/Infini-DL360/default.nix
index 6c781bb..cbd046a 100644
--- a/hosts/Infini-DL360/default.nix
+++ b/hosts/Infini-DL360/default.nix
@@ -123,6 +123,12 @@
   };
   users.groups.incoming = { };
 
+  users.users.jump = {
+    description = "User for ssh jumping";
+    isSystemUser = true;
+    group = "nogroup";
+  };
+
   systemd.tmpfiles.settings."30-external" = {
     "/srv/external".d = { user = "root"; group = "root"; };
     "/srv/external/incoming".d = { user = "incoming"; group = "incoming"; mode = "0770"; };
@@ -139,5 +145,14 @@
       AllowTcpForwarding no
       KbdInteractiveAuthentication no
       PasswordAuthentication no
+
+    Match user jump
+      AuthorizedKeysFile /etc/ssh/authorized_keys.d/infinidoge /etc/ssh/authorized_keys.d/%u
+      ForceCommand ${pkgs.shadow}/bin/nologin
+      PermitTTY no
+      X11Forwarding no
+      PermitTunnel no
+      GatewayPorts no
+      PasswordAuthentication no
   '';
 }