diff options
-rw-r--r-- | configs/ssh-pubkeys.toml | 3 | ||||
-rw-r--r-- | hosts/tahoe/default.nix | 17 | ||||
-rw-r--r-- | hosts/tahoe/services.nix | 8 |
3 files changed, 21 insertions, 7 deletions
diff --git a/configs/ssh-pubkeys.toml b/configs/ssh-pubkeys.toml index df9bb25..6f9c980 100644 --- a/configs/ssh-pubkeys.toml +++ b/configs/ssh-pubkeys.toml @@ -8,3 +8,6 @@ work="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINSWhXmnUplM+xltD0sYiJ6AsjkwHvbjTYLA7G ykey-laptop="sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGX4+CuUjiX6Doi4n6RqmznzFUyRrxKhEFvuIxROzXDKAAAABHNzaDo=" ykey-keyring="sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDnU4Xd8bElZYVWDbknlIgskR/q7ORrbvO0FLnJMQX+eAAAABHNzaDo=" ykey-backup="sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINEGiZpKcXQtB7P7k5puV5OAeMlnB7qRLm+HRI5/OKTbAAAABHNzaDo=" + +# this key is used to perform backups +restic="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB/0b3IjqeCHQ+b4qZoptrmG/twV4Zj4BIH1yl7Y5cW9" diff --git a/hosts/tahoe/default.nix b/hosts/tahoe/default.nix index b605ba9..f31135b 100644 --- a/hosts/tahoe/default.nix +++ b/hosts/tahoe/default.nix @@ -1,5 +1,7 @@ { config, pkgs, hostname, ... }: - +let + sshPub = builtins.fromTOML (builtins.readFile ../../configs/ssh-pubkeys.toml); +in { imports = [ ./boot.nix ./hardware.nix ./networking.nix ./services.nix ]; @@ -10,14 +12,15 @@ isSystemUser = true; }; - # Backup user - users.users.fcunybackup = { + # a user used only for backups + users.users.backup = { createHome = false; - group = "users"; - home = "/data/slow/backups/users/fcuny"; + uid = 991; isSystemUser = true; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB/0b3IjqeCHQ+b4qZoptrmG/twV4Zj4BIH1yl7Y5cW9" + group = "users"; + home = "/data/slow/backups/hosts"; + openssh.authorizedKeys.keys = with sshPub; [ + restic ]; }; diff --git a/hosts/tahoe/services.nix b/hosts/tahoe/services.nix index d497f82..4010094 100644 --- a/hosts/tahoe/services.nix +++ b/hosts/tahoe/services.nix @@ -80,4 +80,12 @@ in sendsms.enable = true; }; + + services.openssh.sftpServerExecutable = "internal-sftp"; + services.openssh.extraConfig = '' + Match User backup + ChrootDirectory ${config.users.users.backup.home} + ForceCommand internal-sftp + AllowTcpForwarding no + ''; } |