oignon: nftables: open 8776 for radicle-node

[julm/julm-nix.git] / hosts / aubergine / sftp.nix

{ pkgs, lib, ... }:
let
  sftpRoot = "/var/lib/sftp";
in
{
  systemd.mounts = [
    {
      where = "${sftpRoot}/films";
      type = "none";
      what = "/mnt/off3/julm/public/podcasts/films";
      options = "bind,rw,noauto";
      requires = [ "zfs-import@off3.service" ];
      after = [
        "zfs-import@off3.service"
        "zfs-mount.service"
        "var-lib-sftp.mount"
        "mnt-off3-julm-public-podcasts.mount"
      ];
      #bindsTo = [ "mnt-off3-julm-public-podcasts.mount" ];
      unitConfig = {
        #AssertDirectoryNotEmpty = "/mnt/off3/julm/public/podcasts/films";
      };
    }
  ];
  systemd.automounts = [
    {
      where = "${sftpRoot}/films";
      wantedBy = [ "zfs-mount.service" ];
      after = [ "zfs-mount.service" "var-lib-sftp.mount" ];
      #automountConfig.TimeoutIdleSec = "5 min";
    }
  ];
  fileSystems."${sftpRoot}/camera" = {
    device = "/mnt/off2/julm/perso/camera";
    options = [ "bind" "ro" "noauto" ];
  };
  services.openssh.extraConfig = ''
    Match User sevy
      AllowAgentForwarding no
      AllowTcpForwarding no
      ChrootDirectory ${sftpRoot}
      ForceCommand internal-sftp -u 0002
      X11Forwarding no
  '';

  services.udev.extraRules = ''
    SUBSYSTEM=="block", KERNEL=="sd*", ENV{ID_SERIAL}=="TOSHIBA_MK6459GSXP_519DC07HT", \
      ACTION=="add", ENV{SYSTEMD_WANTS}+="zfs-import@off3.service"
    SUBSYSTEM=="block", KERNEL=="sd*", ENV{ID_SERIAL}=="TOSHIBA_MK6459GSXP_519DC07HT", \
      ACTION=="remove", RUN+="${pkgs.systemd}/bin/systemctl stop --no-block zfs-import@off3.service"
  '';
}