hosts/tahoe: rename account for backup and enable sftp for it

The dedicated account for backup should be named 'backup', as it's more
generic.

While it's a system account, I still need to be able to log in the host
remotely with sftp, so we give it a UID (991).

The account needs to be able to sftp to tahoe in order to store the
backups from remote hosts. However we don't want this user to get a
shell and be able to browse the host, so we configure sshd to chroot the
user to where the backups are stored.

2 files changed, 18 insertions, 7 deletions

diff --git a/hosts/tahoe/default.nix b/hosts/tahoe/default.nix
index b605ba9..f31135b 100644
--- a/hosts/tahoe/default.nix
+++ b/hosts/tahoe/default.nix
@@ -1,5 +1,7 @@
 { config, pkgs, hostname, ... }:
-
+let
+  sshPub = builtins.fromTOML (builtins.readFile ../../configs/ssh-pubkeys.toml);
+in
 {
   imports = [ ./boot.nix ./hardware.nix ./networking.nix ./services.nix ];
 
@@ -10,14 +12,15 @@
     isSystemUser = true;
   };
 
-  # Backup user
-  users.users.fcunybackup = {
+  # a user used only for backups
+  users.users.backup = {
     createHome = false;
-    group = "users";
-    home = "/data/slow/backups/users/fcuny";
+    uid = 991;
     isSystemUser = true;
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB/0b3IjqeCHQ+b4qZoptrmG/twV4Zj4BIH1yl7Y5cW9"
+    group = "users";
+    home = "/data/slow/backups/hosts";
+    openssh.authorizedKeys.keys = with sshPub; [
+      restic
     ];
   };
 
diff --git a/hosts/tahoe/services.nix b/hosts/tahoe/services.nix
index d497f82..4010094 100644
--- a/hosts/tahoe/services.nix
+++ b/hosts/tahoe/services.nix
@@ -80,4 +80,12 @@ in
 
     sendsms.enable = true;
   };
+
+  services.openssh.sftpServerExecutable = "internal-sftp";
+  services.openssh.extraConfig = ''
+    Match User backup
+      ChrootDirectory ${config.users.users.backup.home}
+      ForceCommand internal-sftp
+      AllowTcpForwarding no
+  '';
 }