{ lib, ... }:
let
  sftpRoot = "/var/lib/sftp";
in
{
  fileSystems."${sftpRoot}/films" = {
    device = "/mnt/off3/julm/public/podcasts/films";
    options = [ "bind" "ro" "nofail" ];
  };
  fileSystems."${sftpRoot}/camera" = {
    device = "/mnt/off2/julm/perso/camera";
    options = [ "bind" "ro" "nofail" ];
  };
  services.openssh.extraConfig = ''
    Match User sevy
      AllowAgentForwarding no
      AllowTcpForwarding no
      ChrootDirectory ${sftpRoot}
      ForceCommand internal-sftp -u 0002
      X11Forwarding no
  '';
}