machines: back: add restricted backup user

Signed-off-by: Christoph Heiss <christoph@c8h4.io>
2023-12-28 14:54:02 +01:00 · 2023-12-28 14:54:02 +01:00 · a964cac3d5
parent b5fc45aacc
commit a964cac3d5
1 changed files with 14 additions and 0 deletions
--- a/machines/back.nix
+++ b/machines/back.nix
@ -101,4 +101,18 @@
    device = "/dev/md0";
    fsType = "vfat";
  };
+
+  users.users.backup = {
+    isNormalUser = true;
+    uid = 2000;
+    createHome = false;
+    openssh.authorizedKeys.keys = let
+      restrictCmd =
+        ''command="${pkgs.rrsync}/bin/rrsync -wo -no-del /tank/",restrict'';
+    in [
+      "${restrictCmd} ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAO9LOBcl04ddGijyDSuUXH47Qt6TZISUDwDr1wrm+Ou tank.c8h4.io"
+    ];
+  };
+
+  services.openssh.settings.AllowUsers = [ "backup" ];
 }