hosts/tahoe: rename account for backup and enable sftp for it

The dedicated account for backup should be named 'backup', as it's more generic. While it's a system account, I still need to be able to log in the host remotely with sftp, so we give it a UID (991). The account needs to be able to sftp to tahoe in order to store the backups from remote hosts. However we don't want this user to get a shell and be able to browse the host, so we configure sshd to chroot the user to where the backups are stored.
author: Franck Cuny <franck@fcuny.net> 2023-04-23 19:07:47 -0700
committer: Franck Cuny <franck@fcuny.net> 2023-04-29 15:02:32 -0700
commit: f7dc8afeb2ca3bd80984d2b9f7d2a1862f2d116b (patch)
tree: a03a833f75c1def5477644d9735bc3d6aa6b884b /hosts/tahoe/services.nix
parent: hosts/aptos: do backups over sftp with a dedicated ssh key (diff)
download: infra-f7dc8afeb2ca3bd80984d2b9f7d2a1862f2d116b.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/hosts/tahoe/services.nix b/hosts/tahoe/services.nix
index d497f82..4010094 100644
--- a/hosts/tahoe/services.nix
+++ b/hosts/tahoe/services.nix
@@ -80,4 +80,12 @@ in
 
     sendsms.enable = true;
   };
+
+  services.openssh.sftpServerExecutable = "internal-sftp";
+  services.openssh.extraConfig = ''
+    Match User backup
+      ChrootDirectory ${config.users.users.backup.home}
+      ForceCommand internal-sftp
+      AllowTcpForwarding no
+  '';
 }
author	Franck Cuny <franck@fcuny.net>	2023-04-23 19:07:47 -0700
committer	Franck Cuny <franck@fcuny.net>	2023-04-29 15:02:32 -0700
commit	f7dc8afeb2ca3bd80984d2b9f7d2a1862f2d116b (patch)
tree	a03a833f75c1def5477644d9735bc3d6aa6b884b /hosts/tahoe/services.nix
parent	hosts/aptos: do backups over sftp with a dedicated ssh key (diff)
download	infra-f7dc8afeb2ca3bd80984d2b9f7d2a1862f2d116b.tar.gz