allow sftp

hosts/ds9/default.nix

@@ -51,11 +51,19 @@ in
 
   };
 
+  services.openssh.sftpServerExecutable = "internal-sftp";
+  services.openssh.extraConfig = ''
+    Match User picardbackup
+      ChrootDirectory ${config.users.users.picardbackup.home}
+      ForceCommand internal-sftp
+      AllowTcpForwarding no
+  '';
+
   # Backup Target
   users.users.picardbackup = {
     createHome = true;
     group = "users";
-    home = "/backups/picard";
+    home = "/backups/restic/picard";
     isSystemUser = true;
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvCF8KGgpF9O8Q7k+JXqZ5eMeEeTaMhCIk/2ZFOzXL0"

hosts/picard/default.nix

@@ -56,7 +56,7 @@
       "--keep-yearly 75"
     ];
     initialize = true;
-    repository = "sftp:ds9:/backups/picard/restic";
+    repository = "sftp:picardbackup@ds9:/restic";
     paths = [
       "/persistent"
     ];

nixos-modules/system/security.nix

@@ -12,7 +12,7 @@ in
     security.sudo.execWheelOnly = true;
     services.openssh = {
       passwordAuthentication = false;
-      allowSFTP = false; # just use rsync, lol
+      allowSFTP = true; # just use rsync, lol
       kbdInteractiveAuthentication = false;
       extraConfig = ''
         AllowTcpForwarding yes