1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
{ pkgs, ... }:
{
environment.systemPackages = [ pkgs.bindfs ];
# /ads1700w has to be owned by root:root, it's subdirectories by ads1700w user
systemd.tmpfiles.settings."10-ads1700w_home"."/ads1700w".d = {
mode = "0755";
user = "root";
group = "root";
};
fileSystems."/ads1700w/scans" = {
device = "/nix/persist/home/katja/syncthing/Documents/scans";
fsType = "fuse./run/current-system/sw/bin/bindfs";
noCheck = true;
options = [ "map=katja/ads1700w" ];
};
users.users.ads1700w = {
isNormalUser = true;
createHome = false;
shell = "${pkgs.coreutils}/bin/false";
homeMode = "770";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDP/DrM0GxPUf6nSAb/p4vXQQF1uZ8y7Ah/A5kKpBCE/WEuGp9TYFW/Iy7/Y7vN2jKoaJkDYTrjjYIJA0kY1v5KUfdBJDK0aR5paGfqoHau2ee2GgOdInhrmlrUvOR8jCj0kwCHZKgEdmkH6Tj4yRYw3GGjuOZbA/r2VECSk/4+bY7JyrdYbURrnVNA9Lar9YOoA5PBxTKXEsk4OkXny0XVTlyan5K2335O/qJfViyjwwdoWUJwCJ/FtJD6sSO6uEYe6X8DT3iHPnNP5So3CWUxwKfgOWCS6g43ysSpLJO68jyjNJjhVqAvyjCfOlCceitDGTZHay5LLdHe+jz+U9aT root@BR5CF370B9359C"
];
};
services.openssh = {
settings.Macs = [
"hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "umac-128-etm@openssh.com" "hmac-sha2-512" "hmac-sha2-256" "umac-128@openssh.com"
# needed by scanner
"hmac-sha1"
];
settings.KexAlgorithms = [
"sntrup761x25519-sha512@openssh.com" "curve25519-sha256" "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256"
# needed by scanner
"diffie-hellman-group-exchange-sha1"
];
settings.AllowUsers = [ "ads1700w" ];
extraConfig = ''
PubkeyAcceptedKeyTypes=+ssh-rsa
HostKeyAlgorithms=+ssh-rsa
Match User ads1700w
ChrootDirectory /ads1700w
X11Forwarding no
AllowAgentForwarding no
AllowTcpForwarding no
PermitTunnel no
ForceCommand internal-sftp
'';
};
}