{ pkgs, ... }:

{

  environment.systemPackages = [ pkgs.bindfs ];

  # /ads1700w has to be owned by root:root, it's subdirectories by ads1700w user
  systemd.tmpfiles.settings."10-ads1700w_home"."/ads1700w".d = {
    mode  = "0755";
    user  = "root";
    group = "root";
  };

  fileSystems."/ads1700w/scans" = {
    device = "/nix/persist/home/katja/syncthing/Documents/scans";
    fsType = "fuse./run/current-system/sw/bin/bindfs";
    noCheck = true;
    options = [ "map=katja/ads1700w" ];
  };

  users.users.ads1700w = {
    isNormalUser = true;
    createHome   = false;
    shell        = "${pkgs.coreutils}/bin/false";
    homeMode     = "770";
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDP/DrM0GxPUf6nSAb/p4vXQQF1uZ8y7Ah/A5kKpBCE/WEuGp9TYFW/Iy7/Y7vN2jKoaJkDYTrjjYIJA0kY1v5KUfdBJDK0aR5paGfqoHau2ee2GgOdInhrmlrUvOR8jCj0kwCHZKgEdmkH6Tj4yRYw3GGjuOZbA/r2VECSk/4+bY7JyrdYbURrnVNA9Lar9YOoA5PBxTKXEsk4OkXny0XVTlyan5K2335O/qJfViyjwwdoWUJwCJ/FtJD6sSO6uEYe6X8DT3iHPnNP5So3CWUxwKfgOWCS6g43ysSpLJO68jyjNJjhVqAvyjCfOlCceitDGTZHay5LLdHe+jz+U9aT root@BR5CF370B9359C"
    ];
  };

  services.openssh = {
    settings.Macs = [
      "hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "umac-128-etm@openssh.com" "hmac-sha2-512" "hmac-sha2-256" "umac-128@openssh.com"
      # needed by scanner
      "hmac-sha1"
    ];

    settings.KexAlgorithms = [
      "sntrup761x25519-sha512@openssh.com" "curve25519-sha256" "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256"
      # needed by scanner
      "diffie-hellman-group-exchange-sha1"
    ];

    settings.AllowUsers = [ "ads1700w" ];

    extraConfig = ''
      PubkeyAcceptedKeyTypes=+ssh-rsa
      HostKeyAlgorithms=+ssh-rsa

      Match User ads1700w
        ChrootDirectory /ads1700w
        X11Forwarding no
        AllowAgentForwarding no
        AllowTcpForwarding no
        PermitTunnel no
        ForceCommand internal-sftp
    '';
  };

}